farfetchd
Farfetch’d Session 3
The following session hacks the target bag process. First the hacker inspects
the victim’s heap to find what the victim has typed in for their password
(“secret_pass_key” in this case). Then the hacker modifies the recipient of an
item, located in a stack-allocated array, so that Farfetch’d receives it instead
of Jae.
Victim runs bag in their shell, enters a password and recipient:
$ # entering password "secret_pass_key"
$ ./bag
Top secret key:
1: 10 Poké Balls
2: 10 Potions
3: 10 Rare Candies
Give to: Jae
Which item (1-3):
Attacker uses farfetchd to inspect password and modify recipient:
$ # wait for victim to run 'bag' and enter key/recipient
$ pgrep bag
1430
$ grep -E '(heap|stack)' /proc/1430/maps
aaaaf9d09000-aaaaf9d2a000 rw-p 00000000 00:00 0 [heap]
fffff7b0d000-fffff7b2e000 rw-p 00000000 00:00 0 [stack]
$ sudo ./farfetchd 1430 0xaaaaf9d09000 $((0xaaaaf9d2a000-0xaaaaf9d09000))
bvi version 1.4.0 Copyright (C) 1996-2014 by Gerhard Buergmann
$ # found "secret_pass_key"!
$ sudo ./farfetchd 1430 $((0xfffff7b2e000-(4096*2))) $((4096*2))
bvi version 1.4.0 Copyright (C) 1996-2014 by Gerhard Buergmann
Victim shell continued:
Which item (1-3): 3
Gave 1 Rare Candy to "Farfetch'd"
1: 10 Poké Balls
2: 10 Potions
3: 9 Rare Candies
Give to: ^C