Fuzzing and exploiting vulnserver TRUN command It’s been a long time since I wrote a post now since the lockdown keeps extending so I decided to polish my skills of exploit development on windows.
Heap 0 Source code The following is the source code for Heap 0 Challenge
#include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp(); } Challenge In this challenge we need to modify the f-fp pointer to call winner function on running the program it outputs two address one is of data struct and other is of f struct clearly we can exploit this challenge using buffer overflow
Format 4 Source code The following is the source code for Format 4 Challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } Challenge In this challenge we need to execute hello() function we can do this by modifying our GLOBAL_OFFSET_TABLE we can do that by using arbitary memory write using format string vulnerabilty so first we need to find the address of exit() in global offset table
Format 3 Source Code The following is the source code for Format 3 Challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } Challenge Again we need to modify the target variable to 0x01025544 so we can do this in two wasy either using the same method as in format3 or we can modify the least significant byte of target 0x080496f4 address once and then doing this repeatidily 4 times we can modify the whole address so i am gonna try the second method so our payload will be
Format 2 Source Code The following is the source code for Format 2 Challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); } Challenge We need to modify the target to 64 in this as well as our input is being stored in buffer and then printf is being called on that buffer again we have a format string vulnerability on fiddling around with the input we can see out placeholder value AAAA can be accessed on stack
Format 1 Source Code The following is the source code for Format 1 Challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln(char *string) { printf(string); if(target) { printf("you have modified the target :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Challenge In this we again need to modify the value of target variable but this time we need to do that by using format string vulnerability as the program uses printf() function so after fiddling around a lot i found the perfect offset to modify target and hence on running
Format 0 Source Code The following is the source code for Format 0 Challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Challenge In this challenge we need to modify target variable with 0xdeadbeef as this program uses sprintf function and hence it’s vulnerable to buffer overflow attack and hence filling the buffer with 'A'*64 and then adding the 0xdeadbeef in little endian format we completed this challenge
Stack 7 The following is the source code for Stack 6 challenge
Source code char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } Challenge In this our return address again cannot start with 0xb so we have to again return to user code in order to get crack this challenge, by looking at the source code we can see our input is being stored in heap as well so we can use heap’s address to jump to as it will be more reliable and hence by just breaking before the ret of getpath function we got the address of heap where we can jump to