Format String Exploitation Question

Alan Turing · 03-01-2014, 09:51 PM

So, I came across a challenge, that was FSE.

It was already compiled, and I couldn't see the source code(Opened with Gedit, nothing in there) but it did work.

So I saw the solution and was just confused

so, I got the return address

[volplus@root]~#./cocks %x
<insert return address here>

[volplus@root]~# $'AAAAAAAAAAAAAAAAAAAAAAAAA\x\x\x\x\x\x\x <--- the return address backwards

so zxcv
became
cvzx

My questions are:

1) Why the 25 As? To fill the buffer or something? How do we know 25 was enough
2) Why the return address backwards? What does that accomplish instead of going forwards?

w00t · 03-01-2014, 10:10 PM

Yes, the 25 As were to fill the stack. You can tell how much you need to fill by looking at the disassembly of that function, and seeing how much space is allocated on the stack.

The address is backwards because most processors are little-endian, meaning the least significant byte goes first. So, 0xdeadbeef becomes \xef\xbe\xad\xde

Alan Turing · 03-01-2014, 10:12 PM

(03-01-2014, 10:10 PM)w00t Wrote: Yes, the 25 As were to fill the stack. You can tell how much you need to fill by looking at the disassembly of that function, and seeing how much space is allocated on the stack.

The address is backwards because most processors are little-endian, meaning the least significant byte goes first. So, 0xdeadbeef becomes \xef\xbe\xad\xde

I had a feeling you'd be the first to help, thanks a lot w00t!

So, when I disassemble, where do I look to find out how much I need to fill the stack?

w00t · 03-01-2014, 11:55 PM

In the function prologue, you should see, around the 4th instruction, sub esp, 0x19( or slightly larger, if the function preserves registers ).

Alan Turing · 03-02-2014, 12:09 AM

(03-01-2014, 11:55 PM)w00t Wrote: In the function prologue, you should see, around the 4th instruction, sub esp, 0x19( or slightly larger, if the function preserves registers ).

i disassembled the function, and I saw <25+> near the return addresses, is that okay?

w00t · 03-02-2014, 01:28 AM

Meaning the disassembler you used put ret< +25 >? Different disassemblers will do different things, but you can always find the stack size by looking for the subtraction.

Alan Turing · 03-02-2014, 01:30 AM

(03-02-2014, 01:28 AM)w00t Wrote: Meaning the disassembler you used put ret< +25 >? Different disassemblers will do different things, but you can always find the stack size by looking for the subtraction.

PHP Code:
0x080484b4 <+0>:    push   %ebp
   0x080484b5 <+1>:    mov    %esp,%ebp
   0x080484b7 <+3>:    sub    $0x4,%esp
   0x080484ba <+6>:    movl   $0x8048620,(%esp)
   0x080484c1 <+13>:    call   0x80483dc <puts@plt>
   0x080484c6 <+18>:    movl   $0x0,(%esp)
   0x080484cd <+25>:    call   0x80483ec <exit@plt> 

0x08048cd <+25>: call 0x080483ec <exit@plt>

That's disassembling the function.

w00t · 03-02-2014, 01:32 AM

No, that's the offset from the beginning of the function, in bytes. Not the same thing.

Alan Turing · 03-02-2014, 01:36 AM

(03-02-2014, 01:32 AM)w00t Wrote: No, that's the offset from the beginning of the function, in bytes. Not the same thing.

The above is the full output, using gdb.

That's the entire function output, so where am I looking to find out how much I need to fill the stack?

w00t · 03-02-2014, 02:57 AM

PM me( or post here ) with a link to the executable.