To comply with the rule 3, I masked some contents that is needed to solve this challenge.
The "fsb" means "Format String Bug". It is traditional vulnerability.
※ What is the FSB(Format String Bug) : Link
<fsb.c>
#include <stdio.h>
#include <alloca.h>
#include <fcntl.h>
unsigned long long key;
char buf[100];
char buf2[100];
int fsb(char** argv, char** envp){
char* args[]={"/bin/sh", 0};
int i;
char*** pargv = &argv;
char*** penvp = &envp;
char** arg;
char* c;
for(arg=argv;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
for(arg=envp;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
*pargv=0;
*penvp=0;
for(i=0; i<4; i++){
printf("Give me some format strings(%d)\n", i+1);
read(0, buf, 100);
printf(buf);
}
printf("Wait a sec...\n");
sleep(3);
printf("key : \n");
read(0, buf2, 100);
unsigned long long pw = strtoull(buf2, 0, 10);
if(pw == key){
printf("Congratz!\n");
execve(args[0], args, 0);
return 0;
}
printf("Incorrect key \n");
return 0;
}
int main(int argc, char* argv[], char** envp){
int fd = open("/dev/urandom", O_RDONLY);
if( fd==-1 || read(fd, &key, 8) != 8 ){
printf("Error, tell admin\n");
return 0;
}
close(fd);
alloca(0x12345 & key);
fsb(argv, envp); // exploit this format string bug!
return 0;
}
#include <alloca.h>
#include <fcntl.h>
unsigned long long key;
char buf[100];
char buf2[100];
int fsb(char** argv, char** envp){
char* args[]={"/bin/sh", 0};
int i;
char*** pargv = &argv;
char*** penvp = &envp;
char** arg;
char* c;
for(arg=argv;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
for(arg=envp;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
*pargv=0;
*penvp=0;
for(i=0; i<4; i++){
printf("Give me some format strings(%d)\n", i+1);
read(0, buf, 100);
printf(buf);
}
printf("Wait a sec...\n");
sleep(3);
printf("key : \n");
read(0, buf2, 100);
unsigned long long pw = strtoull(buf2, 0, 10);
if(pw == key){
printf("Congratz!\n");
execve(args[0], args, 0);
return 0;
}
printf("Incorrect key \n");
return 0;
}
int main(int argc, char* argv[], char** envp){
int fd = open("/dev/urandom", O_RDONLY);
if( fd==-1 || read(fd, &key, 8) != 8 ){
printf("Error, tell admin\n");
return 0;
}
close(fd);
alloca(0x12345 & key);
fsb(argv, envp); // exploit this format string bug!
return 0;
}
The above c code is decompiled code of fsb.
If the values of pw and key are the same, the shell is executed. Where pw is the input value and key is the random value from /dev/urandom.
Before the pw and key are checked whether they are same, all argv and envp values are initialized with 0 and the opportunity to input values in "buf" of BSS area is given four times. However, FSB vulnerability occurs because the format string is not used in the process of printing the input value,
❑ strtoull(const char *nptr,char **endptr,int base) : This recognizes the string "nptr" as "base(decimal, hexdecimal, binary etc.)", and returns the value as unsigned long long.
❑ alloca(size_t size) : This allocates as much memory as "size" to the stack frame and returns the starting address of the space allocated.
And there are things to note in the source code. The above is provided fsb.c, and below is the decompiled c code. The provided file says that the input value is used as an unsigned long long length(8 bytes) but actually it is used as a signed int length(4 bytes).
In the assembly code, you can see that the SAR assembly command removes the top four bytes to use it as 4 bytes length.
fsb applies NX and ASLR.
It is a stack that is breaked in the "if (key == password)" part.
For a typical FSB challenge, the "key" variable is a local variable, but since it is in the BSS area here, I used "pargv" to access the "key". You can access the "key" variable from the stack by inputting the address of the "key" variable into where "pargv" points.
The payload sets the key value to 0, as shown below.
[Payload]
%08x%08x%08x■■■■■■■■■■■■■■■■■■■■■■■■■■■832x%n
■■■■■
%08x%08x%08x%08x%08x■■■■■■■■■■■■■■■■■■■■■■836x%n
%20$n
After running the program, input payload for "Give me some format strings" and 0 for "key : ".
FYI.
The payload length can be further reduced by using the position of the parameter.
%13■■■■■■■4$n
■■■■■■
%13■■■■■■■4$n
%20$n