Is it generally possible to exploit a format string vuln without access to the binary and very limitted input space?

I’m working on a challenge where you have to send a password to a server. If the password doesn’t have exactly 23 characters, you’re told that it is too short or too long. If it has 23 characters but is not correct, you get the message “[pass] is not correct” - which is a vulnerable format string!

But since I’m limitted to 23 characters, I can only read out 7 values from the stack. And since I don’t have the binary, I can’t read out adresses to jump to anyways. Is there any way this can be exploited, or am I on the wrong track?

What kind of passwords are you sending? It’s a pain in the ass since you don’t have the binary but I would suggest automating the attack with a fuzzer or just looping something with addresses so you can print out the values on the stack, have you been able to get anything to return?

I tried sending ‘AA’+’%x '*7 and got the values AA400bff d6751780 68742065 776f6c6c 1 20770e19 776f2077. The second value changes every time, but other than that, I see nothing interesting here. Interestingly, if I send a bunch of %s instead, I get no response at all.

What do you mean by “looping something with adresses”?

I explored the memory a bit more (by sending “%x %x%x%x%x%x%x%x%x%x%x”, moving the space, using %p and %n too), this is what I got:

   using %x using %p
01 00400bff 0x400bff
02 8f82a780 0x7fab8616a780 changes everytime I post a password & is writable using %n
03 68742065 0x6f66206568742065
04 776f6c6c 0x3a676e69776f6c6c
05 00000001 0x1                
06 2077377d 0x3f7d226a28773f7d 
07 2a6a2077 0x28776f28776f2877 
08 6f782a6a 6a78226a 6a78723f 6a78726f 0x3f7d723f7d726f 0x2e39332e36773f 0x2e3933217d226 0x2e393c6a28776f 0x2e36773f7d723f 0x217d226a78226a Interesting, changes depending on how many chars have been printed when the second variable is written using %n
09 7367c910 0x7ffe004e6120 changes everytime I post a password & is writable using %n
10 004007a0 0x4007a0
11 00400a42 0x400a42

%n can only be used at the 2nd and 9th position, otherwise I get no answer (crash?). I don’t know what to do with all this information though. And to my knowledge, this is all I can do with format string exploitation and what I have available. Damn, this is supposed to be a “Medium” challenge! :smiley:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.