echo "0xHat Security"

There are plenty of great tutorials / writeups out there in the internet on these topics. As pwning is not my regular job I am documenting the topics I have learnt by reading other blogs/writeups and learning few topics in hard way. This also helps me to warmup the same topics from time to time and document some topics that I encountered and that which didn't go as smooth as the writeup. Also I will be updating the same topic from time to time with anything new I learnt. Like improving the exploit , finding new ways to solve the same topic by reading other blogs etc., some impressive methods of solving from other authors The challenge is from https://ropemporium.com/ . I will be solving both 32 bit and 64 bit versions of the binary Solving ret2win - 32 bit Steps : Create a unique pattern Send the pattern Find the pattern offset after the crash from the EIP Find the address we wish to jump The create the final payload with the offset we wish to jump Creating a pattern of 100 bytes a

In our previous post we have seen examples on how we can perform simple analysis with codeql to detect format string vulnerabilities. There are couple of issues with the previous queries we wrote. Le us take an example where the data that is passed to a printf() call is hardcoded, hence the attacker has no control over it. In that case we would end up with too much of false positives. So this is where taint analysis will come useful. Here is the code that we are going to analyze here.    Also let us try to exploit and see which are the scenarios in which they are vulnerable So as per my input %08x.%08x , there are 3 cases where my input will cause a format string attack. So my model should be able to find these 3 paths that are potentially exploitable.   Next let us try to model taint flow of source to sink in which my source will be the user's input variable and my sink will be a flow where the user's input variable will be passed as the first parameter to the printf(user

Code Review & Static Code Analysis is something that I really enjoy doing for fun and sometimes for bread and butter. CodeQL is used for variant analysis which is something like searching the codebase with a modelled code pattern. In this blog post I am going to use the following example and try to play around with CodeQL to find the exact matches against the vulnerable format string expression.   Now using the input "%08x.%08x" , I can see there are 2 scenarios where I would successfully exploit a format string vulnerability. Enter your name:%08x.%08x Executing function 1 %08x.%08x Executing function 2 1a8571fe Executing function 3 64ed32a0.00000000  ====> Exploited  Executing function 4 1a8571fe.1a857180  ====> Exploited Executing function 1 I am hardcoded Executing function 3 I am hardcoded but safe So my objective will be to play around with CodeQL and try to write few queries that will detect the code pattern where the input is directly used in format. Hence m