Gera's Insecure Programming Format String #5 (ASLR Bypass)
Sep 9, 2011 - lixor_
2 minute read
This post is long overdue. I decided to step it up from FreeBSD to Debian. The last format string challenge from gera is a vanilla format string. You can find this challenge here.
I uncommented the last printf statement in the compiled version. The targeted platform is Debian 6.0.2.
Debian has ASLR enable by default, but not NX for 386/686. For curious readers, how to enable NX on Debian 386/686 see Debian-security mailing list: non-executable stack (via PT_GNU_STACK) not being enforced. Basically you need to have a PAE enable kernel.
The format string was found after popping three 4 bytes values from the stack.
Attentive readers will notice .fini address (0x080484cc) in .dynamic (0x0804951c). The .fini address is a good location to write at; another location could have be printf’s address in GOT.
The address of the shellcode is not easly found because of ASLR, but we can brute force the address. An address to use is 0xbfffad55 as it is in the range of 0xbf~~~~.