Description
Welcome to my little crackme! Your goal is to get a shell!
As usual patching is not allowed. ld_preload, dll injection and rootkits are not allowed too. I hope the crackme is not overrated or underated. Have fun!
_sam on 4:15 PM 03/25/2020: hi, can you give me a hint .
tim0tei on 6:54 AM 03/26/2020: @_sam there no name/pass algo to reverse but one of the used C-functions can be exploited.
ano12 on 6:09 PM 03/28/2020: There is a format string vuln but don't know how to exploit it.
BitFriends on 10:45 PM 03/28/2020: @_sam try objdump -t ;)
ano12 on 10:09 AM 03/29/2020: Can someone give me a hint, i know there is a format string, but i don't have clue how to exploit it.
tim0tei on 12:24 PM 03/29/2020: @ano12 I found this quite useful: http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
ano12 on 5:15 PM 03/29/2020: I am able to write the address which is at %7$p to the stack but not able to write to it's memory. I wrote a python script with pwntools
to interact with the process. I'm getting nowhere. Can someone help me.
my email ano12@pm.me
BitFriends on 1:53 PM 03/31/2020: Hint: %p does NOT write to memory.
ano12 on 5:00 PM 03/31/2020: Yeah, I know it's %n but it's not working. I think i'm Missing something.
tim0tei on 6:13 PM 03/31/2020: For me it works that way
"\x9a\x0e\x00\x00_%08x.%08x.%08x.%08x.%08x.%3676u%n"
BitFriends on 8:32 PM 03/31/2020: @tim0tei please submit a solution when you got it. Don't spoil
terbo on 2:19 AM 04/18/2020: guys where is the 3676 coming from iv no idea?
tim0tei on 4:45 AM 04/19/2020: @terbo It does not need to be 3676. Depending on what you input before may change that value.
ano12 on 3:23 PM 04/20/2020: "%3737u %7$n"
ano12 on 3:24 PM 04/20/2020: and then "shell"
that's all
easy.
nm on 9:54 PM 09/11/2020: Spoilery comment, but I assume it's okay since there are already spoilers commented. So it appears that the address for the "admin" global variable is the 7th parameter on the stack. Two questions about this:
1. When using objdump/ghidra, I saw the address for admin was something like "0010407c". When using the string format exploit to print out the stack values, the 7th parameter always ended in 7c but otherwise was completely different every time. Is this due to address randomization moving around the BSS segment?
2. I assume the address of "admin" is only on the stack in the first place due to it being a leftover pushed argument when calling strcpy(admin_cpy, (char *)%admin)?
Thanks!
BitFriends on 5:51 PM 10/07/2020: @nm you don't have to worry about the address, because it's already on the stack. Just write to it with using the format string vuln