読者です 読者をやめる 読者になる 読者になる

主に、強化学習

情報系の大学2年生が確率に関連したことを多めに書いてるブログ

format string3(beginner) in Solving the problem(B)

How low. Let's solve the problem(B).

Well, i wanna test to whether it is true that the printf(%08x.%08x....) 's
esp output following printf 's esp or not.

   0x0804850c <+136>:	lea    eax,[esp+0x2c]
   0x08048510 <+140>:	mov    DWORD PTR [esp],eax
   0x08048513 <+143>:	call   0x8048398 <printf@plt> ; printf(test)
   0x08048518 <+148>:	mov    DWORD PTR [esp],0x8048649
   0x0804851f <+155>:	call   0x80483a8 <puts@plt>
   0x08048524 <+160>:	mov    ecx,DWORD PTR ds:0x804a020
   0x0804852a <+166>:	mov    edx,DWORD PTR ds:0x804a020


(gdb) b *main+143
Note: breakpoint 1 also set at pc 0x8048513.
Breakpoint 2 at 0x8048513: file fmt_vuln.c, line 20.
(gdb) r $(python -c 'print "%08x."*30')
Starting program: /root/ctf/fmt_vuln $(python -c 'print "%08x."*30')
True Text
%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.
False Text

Breakpoint 1, 0x08048513 in main (argc=2, argv=0xbffff434) at fmt_vuln.c:20
20		printf(text);
(gdb) i r $esp
esp            0xbfffef50	0xbfffef50
(gdb) ni
22		puts("");
(gdb) 
0x0804851f	22		puts("");
(gdb) x/10xw $esp
0xbfffef50:	0x08048649	0xbffff5b9	0x00154d7c	0x00154d7c
0xbfffef60:	0x00154d7c	0x000000f0	0x000000f0	0xbffff434
0xbfffef70:	0x00000004	0x00000004
(gdb) ni
bffff5b9.00154d7c.00154d7c.00154d7c.000000f0.000000f0.bffff434.00000004.00000004.00000174.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.

i want you notice that
>>0xbfffef50: 0x08048649 0xbffff5b9 0x00154d7c 0x00154d7c
and
>>bffff5b9.00154d7c.00154d7c.00154d7c.000000f0

i mean, the memory slip out a one place!!
i cannot understand...

What is " 0x08048649" meaning.

Well, in the first, i have to check the source code and understand the problem which have any mitigations to prevent solving.the first mitigation is Randomized addresses of the program (-pie). PIE feature loads executable binaries at random memory addresses so that the kernel can disallow text relocation. i wanna read this blog after read source code. and next, we are to be care the mitigation is Protected the stack (-fstack-protector-all), i will use as this reference(site). IPA is God. next mitigation is Made GOT read-only (-Wl,-z,relro,-z,now), this means , we cannot to use GOT overwrite exploit, conversely we think, the possibilities will be decreased. the last one is Ascii armor is enabled. you check this mitigation

% objdump -d -M intel villager|grep -A40 main.:
000008b0 <main>:
 8b0:	55                   	push   ebp
 8b1:	89 e5                	mov    ebp,esp
 8b3:	83 e4 f0             	and    esp,0xfffffff0
 8b6:	83 ec 20             	sub    esp,0x20
 8b9:	65 a1 14 00 00 00    	mov    eax,gs:0x14
 8bf:	89 44 24 1c          	mov    DWORD PTR [esp+0x1c],eax
 8c3:	31 c0                	xor    eax,eax
 8c5:	c7 04 24 2c 0a 00 00 	mov    DWORD PTR [esp],0xa2c
 8cc:	e8 fc ff ff ff       	call   8cd <main+0x1d>
 8d1:	a1 00 00 00 00       	mov    eax,ds:0x0
 8d6:	89 04 24             	mov    DWORD PTR [esp],eax
 8d9:	e8 fc ff ff ff       	call   8da <main+0x2a>
 8de:	66 90                	xchg   ax,ax
 8e0:	c7 04 24 03 00 00 00 	mov    DWORD PTR [esp],0x3
 8e7:	e8 fc ff ff ff       	call   8e8 <main+0x38>
 8ec:	e8 ff fe ff ff       	call   7f0 <_Z4convv>
 8f1:	84 c0                	test   al,al
 8f3:	74 eb                	je     8e0 <main+0x30>
 8f5:	c7 04 24 34 0a 00 00 	mov    DWORD PTR [esp],0xa34
 8fc:	e8 fc ff ff ff       	call   8fd <main+0x4d>
 901:	a1 00 00 00 00       	mov    eax,ds:0x0
 906:	89 04 24             	mov    DWORD PTR [esp],eax
 909:	e8 fc ff ff ff       	call   90a <main+0x5a>
 90e:	31 c0                	xor    eax,eax
 910:	8b 54 24 1c          	mov    edx,DWORD PTR [esp+0x1c]
 914:	65 33 15 14 00 00 00 	xor    edx,DWORD PTR gs:0x14
 91b:	75 02                	jne    91f <main+0x6f>
 91d:	c9                   	leave  
 91e:	c3                   	ret    
 91f:	90                   	nop
 920:	e8 fc ff ff ff       	call   921 <main+0x71>

ok, i try splitting the source code into readable for any people.

1.These are likely to mean "Function Prototype", so we can ignore these.
I'd direct attention into sub esp,0x20, this means that the variables in this source will exist 0x20( 32 )bytes.

 8b0:	55                   	push   ebp
 8b1:	89 e5                	mov    ebp,esp
 8b3:	83 e4 f0             	and    esp,0xfffffff0
 8b6:	83 ec 20             	sub    esp,0x20

...omission...

 91d:	c9                   	leave  
 91e:	c3                   	ret    
 91f:	90                   	nop
 920:	e8 fc ff ff ff       	call   921 <main+0x71>

2.

8b9:	65 a1 14 00 00 00    	mov    eax,gs:0x14
 8bf:	89 44 24 1c          	mov    DWORD PTR [esp+0x1c],eax
 8c3:	31 c0                	xor    eax,eax
 8c5:	c7 04 24 2c 0a 00 00 	mov    DWORD PTR [esp],0xa2c
 8cc:	e8 fc ff ff ff       	call   8cd <main+0x1d>