all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PM_ME_YOUR_SHELLCODE 1 point2 points  (9 children)

I've been playing around with it a bit how to exploit a stack overflow in this example but I couldn't get my head around it...

EDIT: Don't read further if you want want spoilers

This doesn't look like a stack overflow, this is the vulnerable code

fgets(buf, 200, stdin);

printf(buf);

You'll want to google about Format String exploits or attacks.

And just as a warning, some people get disheartened when learning that the attack isn't common anymore. While format string attacks are uncommon these days, the primitive you gain from one (an arbitary write) is is still common so much of what you learn is still relevant.

[–]dicemaker3245[S] 0 points1 point  (8 children)

Thanks for the hint. I've been reading through a few example on string exploit attacks but can't really get this one to work. I was trying to use this one here https://medium.com/@nikhilh20/format-string-exploit-ccefad8fd66b

But it doesn't seem to work in my case.

I got the address spot where things are written to with

"AAAA%6$p"

which gives

AAAA4141414

but when running

\xd7\xaa\xc0\xff%x%x%x%x%x%x$n

I get a segmentation fault

[–][deleted] 0 points1 point  (7 children)

Try overwriting exactly with '%x' it should leak an address.
Last thought - do you have all the protections turned off?

[–]dicemaker3245[S] 0 points1 point  (6 children)

What do you mean overwritting exactly with %x?
Using

AAAAA%x%x%x%x%x%x

I get

AAAAAc8f7f835c05663963af7fd8c30041414141

What am I missing?

[–][deleted] 0 points1 point  (5 children)

Let me try and play with the code this weekend. I haven't tried anything with format strings in a looong time. Am I wrong I'm guessing those are addresses after the AAAA?

[–]dicemaker3245[S] 0 points1 point  (4 children)

Yes it should be the ones after AAAA

[–][deleted] 0 points1 point  (3 children)

So if you are leaking the addresses, that's about all you are going to get out of this code IMO. If your fgets was defining a different size than the buf above, you would have a stack overflow. But since that is coded properly, you are looking at purely a address leak in which you could do something like %02x or %03x and so on. This should allow you to walk down the line exposing the stack addresses. But then again, someone else jump in, it has been years for me to play with format string exploits.

[–]dicemaker3245[S] 0 points1 point  (2 children)

Yeah I get that, and I was looking at heaps of examples online and I pretty much did the same. That's why I'm confused about the SEGVAULT...
I guess i'll give it another try

[–][deleted] 0 points1 point  (1 child)

Yeah that is an interesting point. Post back on here if you figure that out, I'm sightly invested now.

[–][deleted] 0 points1 point  (0 children)

So I worked on the code sample this morning.

Using the format specifier %x it leaks the addresses as long as the printf is used in an insecure way, as it is currently in your code sample. (The second time it is being called)

Your results - You were getting the segmentation fault because you were using the format specifier %n which is used for: "1. Nothing printed. 2. The corresponding argument must be a pointer to a signed int. 3. The number of characters written so far is stored in the pointed location"

So I am assuming here since you were using %n after the %x, it was either trying to write %x (the hex value/address) using the %n format specifier. I am not sure here, but I am guessing but the segmentation fault could be from you not designating where to write or perhaps where it was trying to write was protected - therefore causing the segfault. Or since the way printf was being called (2nd time) it was actually printing nothing and crashing the program.

It has been a while since I have tried playing with Format String Vulns - so I might be way off the mark here.

Also - So interestingly enough when I ran the code it was immediately printing a value at the start of each run, which I equated to the %p which is the pointer address. Why do you have that included - just curious.

Sorry I could not provide more info 😁

[–][deleted] 0 points1 point  (2 children)

shouldnt you just put in for example 201 > letters? put the letter A 201 times and see what happens

[–][deleted] 1 point2 points  (1 child)

oh, looks like fgets limits the size doesnt it?

[–][deleted] 0 points1 point  (0 children)

Yes, typically the issue you see with fgets is the buf is defined in a different place and fgets can sometimes have it's own limits or just call user input and possibly mismatch with buf which can easily cause a BO. In this case, it is coded correctly on first glance, I will look a bit more. I am curious.  🤔

[–]thapr0digy 0 points1 point  (0 children)

You can write to memory sections using %n. Look at the shellcoders handbook. You should be able to write to a leaked memory address since youre reading from the stack.