Challenge example
Code Example
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void) {
char passwd[16] = ""; // array to store the username
char password[16] = ""; // array to store the password
FILE *fp = fopen(".passwd", "r");
fread(passwd, 1, 15, fp);
fclose(fp);
passwd[15] = '\0';
printf("Enter the password: ");
scanf("%15s", password); // read the password from the user
if (strcmp(password, passwd) == 0) {
printf("good job\n");
} else {
printf("permission denied using password : \n");
printf(password);
printf("\n");
}
return 0;
}Here the objectif is to retrieve the value stored into passwd in order to pass the if condition at the next run.
Exploitation
This program is vulnerable to Format String exploit. In this case, the password variable will be printed directly using a printf()function without specify any format specifier, so if there is a format specifier into the value supplied by the user, the process will interprets it.
In order to retrieve the offset between the format specifier and the pointer of the passwd variable we can debug the process using gdb-peda and inspect the stack :
The first value onto the stack is the user input interpreted by the printf() function and the second value is a pointer to a variable containing the string "SuperPassword!!" (value readed from the .passwd file)
Then, if the user input is %1$s, the value stored into the passwd variable should be printed.
Fuzzing
If it's not possible to debug the process to calculate the exact offset between the user input and the targeted secret variable, it's possible to fuzz.
It's consist to send a payload to read successively at each possible offset
Then if there is pointers to strings values, this will print any of them :
The passwd content is retrieve
Exercice
If you want to try this exploit by yourself, you can pull this docker image :
Deploy the image using the followed command :
Access to the web shell with your browser at the address : http://localhost:3000/
Last updated