Today I will show you a format string vulnerability that I found on pocket tanks deluxe. This type of weakness can be very dangerous if well handled. In fact is possible to cause a remote buffer overflow on the victim machine and maybe a shell injection to take the control of remote pc.
In the first picture you can see the format string (fs) command that I sent to the victim host, something like
whitout double quote obviously. This fs was made to check if there is any chance to write the registers.
The image above is showing you the fs output on victim pc, I’ve highlighted the interesting parts in yellow. As you can see i put four “A” in the beginning of the format string, the hex value for such char is “41” (ascii table), so now we know the exact position to write the EAX register.
In the next step we needs only to change a bit of our format string adding the fs command “%n” at the end of the string
This parameter allow us to write arbitrary address into the stack, if you look at the picture, in the red square, you should see that the actual EAX value is “41414141” so we finally gained the access to EAX causing a Buffer Over Flow (BOF).
The last move should be the conquer of ECX register to obtain the full control of the program flow, I’ve played a bit with the “field width” to write some value on ECX but unfortunately i get no success, the target require further investigations.
To avoid the problem is necessary to fix the format string parameter passed to sprintf function, i’ve already report the vulnerability to the author. I hope he will fix such threat as soon as possible.