Exploit Education Phoenix x86 Format Three

Introduction Format Three is the continuation of the format string vulnerability challenges. Recon 1 $ r2 /opt/phoenix/i486/format-three 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 [0x08048350]> aas Cannot analyze at 0x080485e0 [0x08048350]> afl 0x080482d8 1 17 sym._init 0x080484a0 7 277 -> 112 sym.frame_dummy 0x080485a0 5 49 sym.__do_global_ctors_aux 0x080485d1 1 12 sym._fini 0x08048420 8 113 -> 111 sym.__do_global_dtors_aux 0x08048114 40 492 -> 577 sym..interp 0x08048350 1 62 entry0 0x08048340 1 6 sym.imp.__libc_start_main 0x080486a8 1 14 loc.__GNU_EH_FRAME_HDR 0x080486cc 3 34 sym..eh_frame 0x08048708 1 10 obj.__EH_FRAME_BEGIN 0x08048390 4 49 -> 40 sym.deregister_tm_clones 0x0804874c 1 4 obj.__FRAME_END 0x080484fc 6 155 main 0x08048310 1 6 sym.imp.puts 0x08048320 1 6 sym.imp.read 0x08048330 1 6 sym.imp.exit 0x080484e5 1 23 sym.bounce 0x08048300 1 6 sym.imp.printf [0x08048350]> s main [0x080484fc]> pdf / (fcn) main 155 | int main (int argc, char **argv, char **envp); | ; var int32_t var_1008h @ ebp-0x1008 | ; arg int32_t arg_4h @ esp+0x4 | ; DATA XREF from entry0 @ 0x8048384 | 0x080484fc 8d4c2404 lea ecx, [arg_4h] | 0x08048500 83e4f0 and esp, 0xfffffff0 | 0x08048503 ff71fc push dword [ecx - 4] | 0x08048506 55 push ebp | 0x08048507 89e5 mov ebp, esp | 0x08048509 51 push ecx | 0x0804850a 81ec04100000 sub esp, 0x1004 | 0x08048510 83ec0c sub esp, 0xc | 0x08048513 68e0850408 push str.Welcome_to_phoenix_format_three__brought_to_you_by_https:__exploit.education ; sym..rodata | ; 0x80485e0 ; "Welcome to phoenix/format-three, brought to you by https://exploit.education" | 0x08048518 e8f3fdffff call sym.imp.puts ; int puts(const char *s) | 0x0804851d 83c410 add esp, 0x10 | 0x08048520 83ec04 sub esp, 4 | 0x08048523 68ff0f0000 push 0xfff | 0x08048528 8d85f8efffff lea eax, [var_1008h] | 0x0804852e 50 push eax | 0x0804852f 6a00 push 0 | 0x08048531 e8eafdffff call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte) | 0x08048536 83c410 add esp, 0x10 | 0x08048539 85c0 test eax, eax | ,=< 0x0804853b 7f0a jg 0x8048547 | | 0x0804853d 83ec0c sub esp, 0xc | | 0x08048540 6a01 push 1 ; 1 | | 0x08048542 e8e9fdffff call sym.imp.exit ; void exit(int status) | `-> 0x08048547 83ec0c sub esp, 0xc | 0x0804854a 8d85f8efffff lea eax, [var_1008h] | 0x08048550 50 push eax | 0x08048551 e88fffffff call sym.bounce | 0x08048556 83c410 add esp, 0x10 | 0x08048559 a144980408 mov eax, dword [obj.changeme] ; [0x8049844:4]=0 | 0x0804855e 3d45784564 cmp eax, 0x64457845 | ,=< 0x08048563 7512 jne 0x8048577 | | 0x08048565 83ec0c sub esp, 0xc | | 0x08048568 6830860408 push str.Well_done__the__changeme__variable_has_been_changed_correctly ; 0x8048630 ; "Well done, the 'changeme' variable has been changed correctly!" | | 0x0804856d e89efdffff call sym.imp.puts ; int puts(const char *s) | | 0x08048572 83c410 add esp, 0x10 | ,==< 0x08048575 eb16 jmp 0x804858d | |`-> 0x08048577 a144980408 mov eax, dword [obj.changeme] ; [0x8049844:4]=0 | | 0x0804857c 83ec08 sub esp, 8 | | 0x0804857f 50 push eax | | 0x08048580 6870860408 push str.Better_luck_next_time___got_0x_08x__wanted_0x64457845 ; 0x8048670 ; "Better luck next time - got 0x%08x, wanted 0x64457845!\n" | | 0x08048585 e876fdffff call sym.imp.printf ; int printf(const char *format) | | 0x0804858a 83c410 add esp, 0x10 | | ; CODE XREF from main @ 0x8048575 | `--> 0x0804858d 83ec0c sub esp, 0xc | 0x08048590 6a00 push 0 \ 0x08048592 e899fdffff call sym.imp.exit ; void exit(int status) [0x080484fc]> agf [0x080484fc]> # int main (int argc, char **argv, char **envp); .------------------------------------------------------------------------------------------. | 0x80484fc | | (fcn) main 155 | | int main (int argc, char **argv, char **envp); | | ; var int32_t var_1008h @ ebp-0x1008 | | ; arg int32_t arg_4h @ esp+0x4 | | ; DATA XREF from entry0 @ 0x8048384 | | lea ecx, [arg_4h] | | and esp, 0xfffffff0 | | push dword [ecx - 4] | | push ebp | | mov ebp, esp | | push ecx | | sub esp, 0x1004 | | sub esp, 0xc | | ; sym..rodata | | ; 0x80485e0 | | ; "Welcome to phoenix/format-three, brought to you by https://exploit.education" | | push str.Welcome_to_phoenix_format_three__brought_to_you_by_https:__exploit.education | | ; int puts(const char *s) | | call sym.imp.puts;[oa] | | add esp, 0x10 | | sub esp, 4 | | push 0xfff | | lea eax, [var_1008h] | | push eax | | push 0 | | ; ssize_t read(int fildes, void *buf, size_t nbyte) | | call sym.imp.read;[ob] | | add esp, 0x10 | | test eax, eax | | jg 0x8048547 | `------------------------------------------------------------------------------------------' f t | | | '---------------------------------------. '-----------. | | | .-------------------------. .----------------------------------. | 0x804853d | | 0x8048547 | | sub esp, 0xc | | sub esp, 0xc | | ; 1 | | lea eax, [var_1008h] | | push 1 | | push eax | | ; void exit(int status) | | call sym.bounce;[od] | | call sym.imp.exit;[oc] | | add esp, 0x10 | `-------------------------' | ; [0x8049844:4]=0 | | mov eax, dword [obj.changeme] | | cmp eax, 0x64457845 | | jne 0x8048577 | `----------------------------------' f t | | | '---------------. .-------------------------------------------------------------' | | | .---------------------------------------------------------------------------. .-------------------------------------------------------------------. | 0x8048565 | | 0x8048577 | | sub esp, 0xc | | ; [0x8049844:4]=0 | | ; 0x8048630 | | mov eax, dword [obj.changeme] | | ; "Well done, the 'changeme' variable has been changed correctly!" | | sub esp, 8 | | push str.Well_done__the__changeme__variable_has_been_changed_correctly | | push eax | | ; int puts(const char *s) | | ; 0x8048670 | | call sym.imp.puts;[oa] | | ; "Better luck next time - got 0x%08x, wanted 0x64457845!\n" | | add esp, 0x10 | | push str.Better_luck_next_time___got_0x_08x__wanted_0x64457845 | | jmp 0x804858d | | ; int printf(const char *format) | `---------------------------------------------------------------------------' | call sym.imp.printf;[oe] | v | add esp, 0x10 | | `-------------------------------------------------------------------' | v | | '-----------------------------------------------------------. | | .-----------------' | | .-----------------------------------. | 0x804858d | | ; CODE XREF from main @ 0x8048575 | | sub esp, 0xc | | push 0 | | ; void exit(int status) | | call sym.imp.exit;[oc] | `-----------------------------------' [0x080484fc]> pdf @ sym.bounce / (fcn) sym.bounce 23 | sym.bounce (int32_t arg_8h); | ; arg int32_t arg_8h @ ebp+0x8 | ; CALL XREF from main @ 0x8048551 | 0x080484e5 55 push ebp | 0x080484e6 89e5 mov ebp, esp | 0x080484e8 83ec08 sub esp, 8 | 0x080484eb 83ec0c sub esp, 0xc | 0x080484ee ff7508 push dword [arg_8h] | 0x080484f1 e80afeffff call sym.imp.printf ; int printf(const char *format) | 0x080484f6 83c410 add esp, 0x10 | 0x080484f9 90 nop | 0x080484fa c9 leave \ 0x080484fb c3 ret The binary is almost identical with the one from the previous level. The only difference is that the value to be written to the address of the flag obj.changeme is 0x64457845. ...

October 26, 2019 · 10 min · 2045 words

Exploit Education Phoenix x86 Format Two

Introduction Format Two is the continuation of the format string vulnerability challenges. Recon 1 $ r2 /opt/phoenix/i486/format-two 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 [0x08048380]> aas Cannot analyze at 0x08048620 [0x08048380]> afl 0x080482fc 1 17 sym._init 0x080484d0 7 277 -> 112 sym.frame_dummy 0x080485e0 5 49 sym.__do_global_ctors_aux 0x08048611 1 12 sym._fini 0x08048450 8 113 -> 111 sym.__do_global_dtors_aux 0x08048114 44 524 -> 608 sym..interp 0x08048380 1 62 entry0 0x08048370 1 6 sym.imp.__libc_start_main 0x080486c4 1 14 loc.__GNU_EH_FRAME_HDR 0x080486e8 3 34 sym..eh_frame 0x08048724 1 10 obj.__EH_FRAME_BEGIN 0x080483c0 4 49 -> 40 sym.deregister_tm_clones 0x0804876c 1 4 obj.__FRAME_END 0x0804852c 6 172 main 0x08048515 1 23 sym.bounce 0x08048320 1 6 sym.imp.printf 0x08048330 1 6 sym.imp.puts 0x08048340 1 6 sym.imp.strncpy 0x08048350 1 6 sym.imp.memset 0x08048360 1 6 sym.imp.exit [0x08048380]> s main [0x0804852c]> pdf / (fcn) main 172 | int main (int argc, char **argv, char **envp); | ; var int32_t var_108h @ ebp-0x108 | ; arg int32_t arg_4h @ esp+0x4 | ; DATA XREF from entry0 @ 0x80483b4 | 0x0804852c 8d4c2404 lea ecx, [arg_4h] | 0x08048530 83e4f0 and esp, 0xfffffff0 | 0x08048533 ff71fc push dword [ecx - 4] | 0x08048536 55 push ebp | 0x08048537 89e5 mov ebp, esp | 0x08048539 53 push ebx | 0x0804853a 51 push ecx | 0x0804853b 81ec00010000 sub esp, 0x100 | 0x08048541 89cb mov ebx, ecx | 0x08048543 83ec0c sub esp, 0xc | 0x08048546 6820860408 push str.Welcome_to_phoenix_format_two__brought_to_you_by_https:__exploit.education ; sym..rodata | ; 0x8048620 ; "Welcome to phoenix/format-two, brought to you by https://exploit.education" | 0x0804854b e8e0fdffff call sym.imp.puts ; int puts(const char *s) | 0x08048550 83c410 add esp, 0x10 | 0x08048553 833b01 cmp dword [ebx], 1 | ,=< 0x08048556 7e4b jle 0x80485a3 | | 0x08048558 83ec04 sub esp, 4 | | 0x0804855b 6800010000 push 0x100 ; 256 | | 0x08048560 6a00 push 0 | | 0x08048562 8d85f8feffff lea eax, [var_108h] | | 0x08048568 50 push eax | | 0x08048569 e8e2fdffff call sym.imp.memset ; void *memset(void *s, int c, size_t n) | | 0x0804856e 83c410 add esp, 0x10 | | 0x08048571 8b4304 mov eax, dword [ebx + 4] | | 0x08048574 83c004 add eax, 4 | | 0x08048577 8b00 mov eax, dword [eax] | | 0x08048579 83ec04 sub esp, 4 | | 0x0804857c 6800010000 push 0x100 ; 256 | | 0x08048581 50 push eax | | 0x08048582 8d85f8feffff lea eax, [var_108h] | | 0x08048588 50 push eax | | 0x08048589 e8b2fdffff call sym.imp.strncpy ; char *strncpy(char *dest, const char *src, size_t n) | | 0x0804858e 83c410 add esp, 0x10 | | 0x08048591 83ec0c sub esp, 0xc | | 0x08048594 8d85f8feffff lea eax, [var_108h] | | 0x0804859a 50 push eax | | 0x0804859b e875ffffff call sym.bounce | | 0x080485a0 83c410 add esp, 0x10 | `-> 0x080485a3 a168980408 mov eax, dword [obj.changeme] ; [0x8049868:4]=0 | 0x080485a8 85c0 test eax, eax | ,=< 0x080485aa 7412 je 0x80485be | | 0x080485ac 83ec0c sub esp, 0xc | | 0x080485af 686c860408 push str.Well_done__the__changeme__variable_has_been_changed_correctly ; 0x804866c ; "Well done, the 'changeme' variable has been changed correctly!" | | 0x080485b4 e877fdffff call sym.imp.puts ; int puts(const char *s) | | 0x080485b9 83c410 add esp, 0x10 | ,==< 0x080485bc eb10 jmp 0x80485ce | |`-> 0x080485be 83ec0c sub esp, 0xc | | 0x080485c1 68ab860408 push str.Better_luck_next_time ; 0x80486ab ; "Better luck next time!\n" | | 0x080485c6 e865fdffff call sym.imp.puts ; int puts(const char *s) | | 0x080485cb 83c410 add esp, 0x10 | | ; CODE XREF from main @ 0x80485bc | `--> 0x080485ce 83ec0c sub esp, 0xc | 0x080485d1 6a00 push 0 \ 0x080485d3 e888fdffff call sym.imp.exit ; void exit(int status) [0x0804852c]> agf [0x0804852c]> # int main (int argc, char **argv, char **envp); .----------------------------------------------------------------------------------------. | 0x804852c | | (fcn) main 172 | | int main (int argc, char **argv, char **envp); | | ; var int32_t var_108h @ ebp-0x108 | | ; arg int32_t arg_4h @ esp+0x4 | | ; DATA XREF from entry0 @ 0x80483b4 | | lea ecx, [arg_4h] | | and esp, 0xfffffff0 | | push dword [ecx - 4] | | push ebp | | mov ebp, esp | | push ebx | | push ecx | | sub esp, 0x100 | | mov ebx, ecx | | sub esp, 0xc | | ; sym..rodata | | ; 0x8048620 | | ; "Welcome to phoenix/format-two, brought to you by https://exploit.education" | | push str.Welcome_to_phoenix_format_two__brought_to_you_by_https:__exploit.education | | ; int puts(const char *s) | | call sym.imp.puts;[oa] | | add esp, 0x10 | | cmp dword [ebx], 1 | | jle 0x80485a3 | `----------------------------------------------------------------------------------------' f t | | | '---------------------------------------------------. .---' | .---------------------------------------------------------. | | 0x8048558 | | | sub esp, 4 | | | ; 256 | | | push 0x100 | | | push 0 | | | lea eax, [var_108h] | | | push eax | | | ; void *memset(void *s, int c, size_t n) | | | call sym.imp.memset;[ob] | | | add esp, 0x10 | | | mov eax, dword [ebx + 4] | | | add eax, 4 | | | mov eax, dword [eax] | | | sub esp, 4 | | | ; 256 | | | push 0x100 | | | push eax | | | lea eax, [var_108h] | | | push eax | | | ; char *strncpy(char *dest, const char *src, size_t n) | | | call sym.imp.strncpy;[oc] | | | add esp, 0x10 | | | sub esp, 0xc | | | lea eax, [var_108h] | | | push eax | | | call sym.bounce;[od] | | | add esp, 0x10 | | `---------------------------------------------------------' | v | | | '----------------------------. | | .--------------------------' | | .----------------------------------. | 0x80485a3 | | ; [0x8049868:4]=0 | | mov eax, dword [obj.changeme] | | test eax, eax | | je 0x80485be | `----------------------------------' f t | | | '-----------------------. .-----------------------------------------------------' | | | .---------------------------------------------------------------------------. .-----------------------------------. | 0x80485ac | | 0x80485be | | sub esp, 0xc | | sub esp, 0xc | | ; 0x804866c | | ; 0x80486ab | | ; "Well done, the 'changeme' variable has been changed correctly!" | | ; "Better luck next time!\n" | | push str.Well_done__the__changeme__variable_has_been_changed_correctly | | push str.Better_luck_next_time | | ; int puts(const char *s) | | ; int puts(const char *s) | | call sym.imp.puts;[oa] | | call sym.imp.puts;[oa] | | add esp, 0x10 | | add esp, 0x10 | | jmp 0x80485ce | `-----------------------------------' `---------------------------------------------------------------------------' v v | | | '---------------------------------------------------. | | .-------------------------' | | .-----------------------------------. | 0x80485ce | | ; CODE XREF from main @ 0x80485bc | | sub esp, 0xc | | push 0 | | ; void exit(int status) | | call sym.imp.exit;[oe] | `-----------------------------------' [0x0804852c]> pdf @ sym.bounce / (fcn) sym.bounce 23 | sym.bounce (int32_t arg_8h); | ; arg int32_t arg_8h @ ebp+0x8 | ; CALL XREF from main @ 0x804859b | 0x08048515 55 push ebp | 0x08048516 89e5 mov ebp, esp | 0x08048518 83ec08 sub esp, 8 | 0x0804851b 83ec0c sub esp, 0xc | 0x0804851e ff7508 push dword [arg_8h] | 0x08048521 e8fafdffff call sym.imp.printf ; int printf(const char *format) | 0x08048526 83c410 add esp, 0x10 | 0x08048529 90 nop | 0x0804852a c9 leave \ 0x0804852b c3 ret There are a few things to break down: ...

October 18, 2019 · 10 min · 1987 words

Exploit Education Phoenix x86 Format One

Introduction Format One is the continuation of the format string vulnerability challenges. Recon 1 $ r2 /opt/phoenix/i486/format-one 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 [0x080483d0]> aas Cannot analyze at 0x08048650 [0x080483d0]> afl 0x08048338 1 17 sym._init 0x08048520 7 277 -> 112 sym.frame_dummy 0x08048610 5 49 sym.__do_global_ctors_aux 0x08048641 1 12 sym._fini 0x080484a0 8 113 -> 111 sym.__do_global_dtors_aux 0x08048114 57 604 -> 666 sym..interp 0x080483d0 1 62 entry0 0x080483c0 1 6 sym.imp.__libc_start_main 0x08048728 1 14 loc.__GNU_EH_FRAME_HDR 0x08048744 3 34 sym..eh_frame 0x08048780 1 10 obj.__EH_FRAME_BEGIN 0x08048410 4 49 -> 40 sym.deregister_tm_clones 0x080487a4 1 4 obj.__FRAME_END 0x08048565 6 163 main 0x08048380 1 6 sym.imp.puts 0x08048370 1 6 sym.imp.fgets 0x08048390 1 6 sym.imp.errx 0x080483a0 1 6 sym.imp.sprintf 0x08048360 1 6 sym.imp.printf 0x080483b0 1 6 sym.imp.exit [0x080483d0]> s main [0x08048565]> pdf / (fcn) main 163 | int main (int argc, char **argv, char **envp); | ; var int32_t var_3ch @ ebp-0x3c | ; var int32_t var_2dh @ ebp-0x2d | ; var int32_t var_2ch @ ebp-0x2c | ; var int32_t var_ch @ ebp-0xc | ; arg int32_t arg_4h @ esp+0x4 | ; DATA XREF from entry0 @ 0x8048404 | 0x08048565 8d4c2404 lea ecx, [arg_4h] | 0x08048569 83e4f0 and esp, 0xfffffff0 | 0x0804856c ff71fc push dword [ecx - 4] | 0x0804856f 55 push ebp | 0x08048570 89e5 mov ebp, esp | 0x08048572 51 push ecx | 0x08048573 83ec44 sub esp, 0x44 | 0x08048576 83ec0c sub esp, 0xc | 0x08048579 6850860408 push str.Welcome_to_phoenix_format_one__brought_to_you_by_https:__exploit.education ; sym..rodata | ; 0x8048650 ; "Welcome to phoenix/format-one, brought to you by https://exploit.education" | 0x0804857e e8fdfdffff call sym.imp.puts ; int puts(const char *s) | 0x08048583 83c410 add esp, 0x10 | 0x08048586 a1a0980408 mov eax, dword [obj.stdin] ; sym..bss | ; [0x80498a0:4]=0 | 0x0804858b 83ec04 sub esp, 4 | 0x0804858e 50 push eax | 0x0804858f 6a0f push 0xf ; 15 | 0x08048591 8d45c4 lea eax, [var_3ch] | 0x08048594 50 push eax | 0x08048595 e8d6fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) | 0x0804859a 83c410 add esp, 0x10 | 0x0804859d 85c0 test eax, eax | ,=< 0x0804859f 750f jne 0x80485b0 | | 0x080485a1 83ec08 sub esp, 8 | | 0x080485a4 689b860408 push str.Unable_to_get_buffer ; 0x804869b ; "Unable to get buffer" | | 0x080485a9 6a01 push 1 ; 1 | | 0x080485ab e8e0fdffff call sym.imp.errx ; void errx(int eval) | `-> 0x080485b0 c645d300 mov byte [var_2dh], 0 | 0x080485b4 c745f4000000. mov dword [var_ch], 0 | 0x080485bb 83ec08 sub esp, 8 | 0x080485be 8d45c4 lea eax, [var_3ch] | 0x080485c1 50 push eax | 0x080485c2 8d45d4 lea eax, [var_2ch] | 0x080485c5 50 push eax | 0x080485c6 e8d5fdffff call sym.imp.sprintf ; int sprintf(char *s, const char *format, ...) | 0x080485cb 83c410 add esp, 0x10 | 0x080485ce 8b45f4 mov eax, dword [var_ch] | 0x080485d1 3d6c4f7645 cmp eax, 0x45764f6c | ,=< 0x080485d6 7416 je 0x80485ee | | 0x080485d8 8b45f4 mov eax, dword [var_ch] | | 0x080485db 83ec08 sub esp, 8 | | 0x080485de 50 push eax | | 0x080485df 68b0860408 push str.Uh_oh___changeme__is_not_the_magic_value__it_is_0x_08x ; 0x80486b0 ; "Uh oh, 'changeme' is not the magic value, it is 0x%08x\n" | | 0x080485e4 e877fdffff call sym.imp.printf ; int printf(const char *format) | | 0x080485e9 83c410 add esp, 0x10 | ,==< 0x080485ec eb10 jmp 0x80485fe | |`-> 0x080485ee 83ec0c sub esp, 0xc | | 0x080485f1 68e8860408 push str.Well_done__the__changeme__variable_has_been_changed_correctly ; 0x80486e8 ; "Well done, the 'changeme' variable has been changed correctly!" | | 0x080485f6 e885fdffff call sym.imp.puts ; int puts(const char *s) | | 0x080485fb 83c410 add esp, 0x10 | | ; CODE XREF from main @ 0x80485ec | `--> 0x080485fe 83ec0c sub esp, 0xc | 0x08048601 6a00 push 0 \ 0x08048603 e8a8fdffff call sym.imp.exit ; void exit(int status) [0x08048565]> agf [0x08048565]> # int main (int argc, char **argv, char **envp); .----------------------------------------------------------------------------------------. | 0x8048565 | | (fcn) main 163 | | int main (int argc, char **argv, char **envp); | | ; var int32_t var_3ch @ ebp-0x3c | | ; var int32_t var_2dh @ ebp-0x2d | | ; var int32_t var_2ch @ ebp-0x2c | | ; var int32_t var_ch @ ebp-0xc | | ; arg int32_t arg_4h @ esp+0x4 | | ; DATA XREF from entry0 @ 0x8048404 | | lea ecx, [arg_4h] | | and esp, 0xfffffff0 | | push dword [ecx - 4] | | push ebp | | mov ebp, esp | | push ecx | | sub esp, 0x44 | | sub esp, 0xc | | ; sym..rodata | | ; 0x8048650 | | ; "Welcome to phoenix/format-one, brought to you by https://exploit.education" | | push str.Welcome_to_phoenix_format_one__brought_to_you_by_https:__exploit.education | | ; int puts(const char *s) | | call sym.imp.puts;[oa] | | add esp, 0x10 | | ; sym..bss | | ; [0x80498a0:4]=0 | | mov eax, dword [obj.stdin] | | sub esp, 4 | | push eax | | ; 15 | | push 0xf | | lea eax, [var_3ch] | | push eax | | ; char *fgets(char *s, int size, FILE *stream) | | call sym.imp.fgets;[ob] | | add esp, 0x10 | | test eax, eax | | jne 0x80485b0 | `----------------------------------------------------------------------------------------' f t | | | '-------------------------------------. | | | | .----------------------------------. .-------------------------------------------------. | 0x80485a1 | | 0x80485b0 | | sub esp, 8 | | mov byte [var_2dh], 0 | | ; 0x804869b | | mov dword [var_ch], 0 | | ; "Unable to get buffer" | | sub esp, 8 | | push str.Unable_to_get_buffer | | lea eax, [var_3ch] | | ; 1 | | push eax | | push 1 | | lea eax, [var_2ch] | | ; void errx(int eval) | | push eax | | call sym.imp.errx;[oc] | | ; int sprintf(char *s, const char *format, ...) | `----------------------------------' | call sym.imp.sprintf;[od] | | add esp, 0x10 | | mov eax, dword [var_ch] | | cmp eax, 0x45764f6c | | je 0x80485ee | `-------------------------------------------------' f t | | | '-------------------. .---------------------------------------------------' | | | .--------------------------------------------------------------------. .---------------------------------------------------------------------------. | 0x80485d8 | | 0x80485ee | | mov eax, dword [var_ch] | | sub esp, 0xc | | sub esp, 8 | | ; 0x80486e8 | | push eax | | ; "Well done, the 'changeme' variable has been changed correctly!" | | ; 0x80486b0 | | push str.Well_done__the__changeme__variable_has_been_changed_correctly | | ; "Uh oh, 'changeme' is not the magic value, it is 0x%08x\n" | | ; int puts(const char *s) | | push str.Uh_oh___changeme__is_not_the_magic_value__it_is_0x_08x | | call sym.imp.puts;[oa] | | ; int printf(const char *format) | | add esp, 0x10 | | call sym.imp.printf;[oe] | `---------------------------------------------------------------------------' | add esp, 0x10 | v | jmp 0x80485fe | | `--------------------------------------------------------------------' | v | | | '--------------------------------------------------------. | | .--------------' | | .-----------------------------------. | 0x80485fe | | ; CODE XREF from main @ 0x80485ec | | sub esp, 0xc | | push 0 | | ; void exit(int status) | | call sym.imp.exit;[of] | `-----------------------------------' From the above, the key points are the following: ...

October 17, 2019 · 8 min · 1635 words

Exploit Education Phoenix x86 Format Zero

Introduction This series of format levels is all about exploiting format strings, and the first level introduces a simple format string vulnerability. Recon Use rabin2 to get information about the binary. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 $ rabin2 -I /opt/phoenix/i486/format-zero arch x86 baddr 0x8048000 binsz 3736 bintype elf bits 32 canary false class ELF32 compiler GCC: (GNU) 7.3.0 crypto false endian little havecode true intrp /opt/phoenix/i486-linux-musl/lib/ld-musl-i386.so.1 laddr 0x0 lang c linenum true lsyms true machine Intel 80386 maxopsz 16 minopsz 1 nx false os linux pcalign 0 pic false relocs true relro no rpath /opt/phoenix/i486-linux-musl/lib sanitiz false static false stripped false subsys linux va true It seems that the binary doesn’t differ from the ones of the previous levels. ...

October 16, 2019 · 9 min · 1754 words

Exploit Education Phoenix x86 Stack Five

Introduction Stack Five is the continuation of the stack-based buffer overflow challenges. Recon Use rabin2 to get information about the binary. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 rabin2 -I /opt/phoenix/i486/stack-five arch x86 baddr 0x8048000 binsz 3249 bintype elf bits 32 canary false class ELF32 compiler GCC: (GNU) 7.3.0 crypto false endian little havecode true intrp /opt/phoenix/i486-linux-musl/lib/ld-musl-i386.so.1 laddr 0x0 lang c linenum true lsyms true machine Intel 80386 maxopsz 16 minopsz 1 nx false os linux pcalign 0 pic false relocs true relro no rpath /opt/phoenix/i486-linux-musl/lib sanitiz false static false stripped false subsys linux va true As can be seen, the same information about the binary as in the previous levels is presented here as well. ...

October 14, 2019 · 6 min · 1194 words