USA: +1(669)289-8683 
Sign in
the doctor asked us to do like this exactly
Format String Vulnerability Lab
Task1: The Vulnerable Program
I launch 2 VM, one is SEEDUBUNTU and the other one is SEEDUBUTNTU CLONE. After I
run “sudo ./server” on server side and run “nc -u 10.0.2.7 9090” on client side, I can type
messages on client side and the server program prints the same content typed by me.
Figure 1-1
Task2: Understanding the Layout of the Stack
As shown in fig 2-3, I firstly type “aaaaaaa..%x…%x” to observe the output of this format string,
then I find that there exists 6161616161… in server side, I also find the content includes
numbers like 3, 10, addresses like 80….., b7… and bf….., because of the address of msg(begins
with bf), I guess the address begins with bf…, then I construct format string to test the bf….
addresses. After many tests, I get the output shown in fig2-2, meaning that bffff0e0 is the buffer
address, but there are two bffff0e0. However, the previous one is followed by 3, while the second
one is followed by 80… which seems like an address, so I think the second one is the msg.
The address of msg is 0xbffff0a0, so the return address of myprintf() is 0xbffff09c.
There are 8 %.x between format string and msg, so the address of format string is 0xbffff0a0-32
= 0xbffff080, the address of buf is 0xbffff0e0.
The distance between ➊ and ➌ is 96.
Figure 2-1
Figure 2-2
Figure 2-3
Task 3: Crash the Program
I type some %s on client side shown in fig 3-1, and then the server crushes shown in fig 3-2.
Figure 3-1
Figure 3-2
Task4.a: Stack Data
The figures blow is as same as figures used in task2, so I use 24 %x to get the first four bytes of
my input.
Figure 4-1
Task4.b: Heap Data
I firstly build the format string as shown in fig4-4, I put the address of secret in stack, and then
add the valist to find the address of secret, then I use %s to print the content. So as shown in
fig4-3, I get the content of secret ”A secret message”.
Figure 4-3
Figure 4-4
Task5.a: Change the value to a different value
As shown in fig 5-2, I build the format string including the address of target, then the value of
target is changed in fig 5-1.
Figure 5-1
Figure 5-2
Task5.b: Change the value to 0x500
After calculating, I build the format string shown in fig 5-4, then the value of target is changed to
0x00000500.
Figure 5-3
Figure 5-4
Task5.c: Chang the value to 0xFF990000
I divided 0xff990000 into two parts, one part is for 0xff99 and another part is for 0x0000. So I
calculate the remaining %.Zx, z=65222, then I use %hn to modify the memory of address, then
in 0x0904a042, the value is 0xff99, after that, I use %.65637x to get zero because of
overflowing. So, as shown in fig 5-5, the target changes to 0xff990000.
Figure 5-5
Figure 5-6
Task6: Inject Malicious Code into the Server Program
As is shown in fig 6-3, I firstly make sure the address is right, so I use input_target that aims at
modifying target to be the address of the malicious code(I set 0xbffff1c0 as the address of the
malicious code), then I use the format string shown in fig 6-3 to launch my attack, I divide the
address of malicious code into two parts to write into the return address of myprintf(). After that,
I check the existence of myfile. It is clear that myfile is deleted because of my attack shown in
fig 6-2.
The reason I use x90: Use NOP can add the entry point of my injected code so that I can use the
address which is not exact. NOP instruction does not do anything meaningful, other than
advancing point of my code, as long as I can jump to one of the NOP instructions, I can finally
reach the malicious code.
Figure 6-1
Figure 6-2
Figure 6-3
Malicious code
NOP NOP ..NOP
0XBFFFF1C0
Figure 6-4 the location of malicious code stored
Task7: Getting a Reverse Shell
I modified the format string from task6, as shown in fig 7-2, the ip address of client is 10.0.2.8
included in the format string. Then I launch the TCP server on client, and launch the attack to
server. The attacking result is shown in fig7-2, it depicts that I get the reverse Shell.
Figure 7-1
Figure 7-2
Task8: Fixing the Problem
The warning aims at telling people that when using printf, the format string is better be a string
literal and not a variable. In the server.c code, the printf(msg); causes the vulnerable of this
program, so I modified the code to printf(“%s”, msg); As is shown in fig 8-1, it is clear that there
is no gcc compiler warning. I launch the attack as doing in task7, as shown in fig 7-2, I don’t get
the reverse shell so my attack fails.
Figure 8-1
Figure 7-2
