SlideShare a Scribd company logo

Format String Vulnerability

Jian-Yu Li
Jian-Yu Li

Video links: part1: https://youtu.be/FvGhDlK36PI part2: https://youtu.be/oiicCDA4RNc part3: https://youtu.be/o3KXSayMvhw

Software
1 of 43
Download to read offline
Format String Vulnerability 1
2 • briansp8210 • 交通大學資工系大二 • 喜歡學習 pwn 題的相關技巧 XD whoami
What is it ? 3
What is it ? 4
Looking into stack with gdb buffer 5
0x080484b2 0xffffd378 0xffffd5bf …… 0x41414141 0x25207025 …… stack printf(“AAAA%p %p %p %p %p %p %p %p %p %p”); 6 Looking into stack with gdb
return address 1st argument address of buffer 2nd argument …… 6th argument 7th argument …… stack  printf() can have variable number of arguments .  For each format specifiers, it retrieves argument from stack .  If we provide enough format specifiers, we can finally fetch our target .  And when we get the offset of our target, we can do read / write on arbitrary address ! 7 Looking into stack with gdb
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier 8
Conversion specification %x : unsigned integer as hexadecimal %s : string pointed by the argument %p : pointer address %n : store the number of characters written so far by current call of printf() to the location pointed by the correspond argument . % [parameter] [flags] [width] [.precision] [length] specifier 9
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: Use with [width], we can write arbitrary value to an address . 10
(num)$ : access the (num)th argument to manipulate Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier 11
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: when knowing the offset, we can use this to manipulate specific value on stack . 12
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier %(num)c : output at least num character. 13
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: Use with %n, we can write arbitrary value to an address . 14
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier %h : interpret the argument as short int or short int* %hh : interpret the argument as char or char* 15
Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: write only one or two bytes of data in the specified location. 16
modify the value of variable 17
What else can we do ?  Bypass stack canary  Leak libc address  GOT hijacking 18
What else can we do ?  Bypass stack canary  Leak libc address  GOT hijacking 19
Stack canary  Store a random number on stack .  Before return, check whether the value is the same with the original one .  Prevent the occurrence of stack overflow .  gcc option:  -fstack-protector (enable)  -fno-stack-protector (disable) 20
How canary prevent us from exploiting …… …… …… …… return address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret buf eax = 0x14e9b800 21
How canary prevent us from exploiting …… …… 0x14e9b800 …… return address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret 22 buf
How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret 23 buf
How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret edx = 0x41414141 24 buf
How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret Because what we retrieve from stack now is not the original value, the result will not be 0 . 25 buf
How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret edx = 0x41414141 Since the result ≠ 0, it will not jump to <main+56> 26 buf
How canary prevent us from exploiting ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret 27
Bypass stack canary • We can use fmt vulnerability to leak the canary . • When doing overflow, putting the leaked canary at the original position . 28
What else can we do ?  Bypass stack canary  Leak libc address  GOT hijacking 29
Lazy binding  Solve the waste of linking all function  binding a function when it was called the first time  without binding unused function  Implemented by PLT (Procedure Linkage Table)  _dl_runtime_resolve()  resolve a function which is called the first time 30
How it exactly works 31
How it exactly works When we call the function, it jumps to the .plt entry . This is why we can use .plt entry of a function as the address of the function in ret2libc exploit . 32
How it exactly works If the function is called for the first time, its GOT entry just stores the next instruction’s address . 33
How it exactly works 34
How it exactly works After setting arguments, call _dl_runtime_resolve() 35
How it exactly works 36
How it exactly works When the function is called again, it will still jump to .plt entry . 37
How it exactly works Since the address of the function in libc has been written on its GOT entry, it can directly jump and execute it . 38
Leak libc address  For a dynamically linked program, foo() has been called at least once .  GOT entry of foo() will be address of foo() in libc .  Use the arbitrary read ability of format string vulnerability to leak this address.  If we know the offset of foo() in libc  Base address = address of foo() - offset 39
GOT hijacking 40  To implement lazy binding, GOT is writable .  overwrite foo()’s GOT entry to bar()’s address .  next time program want to call foo(), will actually call bar() .
GOT hijacking  To implement lazy binding, GOT is writable .  overwrite foo()’s GOT entry to bar()’s address .  next time program want to call foo(), will actually call bar() . 41
GOT hijacking 42
Reference  程式設計師的自我修養 --連結. 載入. 程式庫  Format String Vulnerability  Introduction to format string exploits  Execution of ELF  Runtime Symbol Resolution 43

Recommended

Computer Programming- Lecture 5
Computer Programming- Lecture 5 Computer Programming- Lecture 5
Computer Programming- Lecture 5 Dr. Md. Shohel Sayeed
 
Strings in c
Strings in cStrings in c
Strings in cvampugani
 
String & its application
String & its applicationString & its application
String & its applicationTech_MX
 
Data type2 c
Data type2 cData type2 c
Data type2 cthirumalaikumar3
 
Strinng Classes in c++
Strinng Classes in c++Strinng Classes in c++
Strinng Classes in c++Vikash Dhal
 
05 c++-strings
05 c++-strings05 c++-strings
05 c++-stringsKelly Swanson
 
Activate 2019: Tweaking the Base Score: Lucene/Solr Similarities Explained
Activate 2019: Tweaking the Base Score: Lucene/Solr Similarities ExplainedActivate 2019: Tweaking the Base Score: Lucene/Solr Similarities Explained
Activate 2019: Tweaking the Base Score: Lucene/Solr Similarities ExplainedRadu Gheorghe
 
Tweaking the Base Score: Lucene/Solr Similarities Explained
Tweaking the Base Score: Lucene/Solr Similarities ExplainedTweaking the Base Score: Lucene/Solr Similarities Explained
Tweaking the Base Score: Lucene/Solr Similarities ExplainedSematext Group, Inc.
 

Recommended

Computer Programming- Lecture 5
Computer Programming- Lecture 5 Computer Programming- Lecture 5
Computer Programming- Lecture 5 Dr. Md. Shohel Sayeed
 
Strings in c
Strings in cStrings in c
Strings in cvampugani
 
String & its application
String & its applicationString & its application
String & its applicationTech_MX
 
Data type2 c
Data type2 cData type2 c
Data type2 cthirumalaikumar3
 
Strinng Classes in c++
Strinng Classes in c++Strinng Classes in c++
Strinng Classes in c++Vikash Dhal
 
05 c++-strings
05 c++-strings05 c++-strings
05 c++-stringsKelly Swanson
 
Activate 2019: Tweaking the Base Score: Lucene/Solr Similarities Explained
Activate 2019: Tweaking the Base Score: Lucene/Solr Similarities ExplainedActivate 2019: Tweaking the Base Score: Lucene/Solr Similarities Explained
Activate 2019: Tweaking the Base Score: Lucene/Solr Similarities ExplainedRadu Gheorghe
 
Tweaking the Base Score: Lucene/Solr Similarities Explained
Tweaking the Base Score: Lucene/Solr Similarities ExplainedTweaking the Base Score: Lucene/Solr Similarities Explained
Tweaking the Base Score: Lucene/Solr Similarities ExplainedSematext Group, Inc.
 
String c
String cString c
String cthirumalaikumar3
 
C string
C stringC string
C stringUniversity of Potsdam
 
String in c programming
String in c programmingString in c programming
String in c programmingDevan Thakur
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 
Advanced+pointers
Advanced+pointersAdvanced+pointers
Advanced+pointersRubal Bansal
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman CodingEhtisham Ali
 
C programming - String
C programming - StringC programming - String
C programming - StringAchyut Devkota
 
Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Fernando Moreira
 
Code gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionCode gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionMarina Kolpakova
 
strings
stringsstrings
stringsteach4uin
 
GCC
GCCGCC
GCCKir Chou
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
C
CC
CKhan Rahimeen
 
Csdfsadf
CsdfsadfCsdfsadf
CsdfsadfAtul Setu
 
C Programming Unit-3
C Programming Unit-3C Programming Unit-3
C Programming Unit-3Vikram Nandini
 
Handling of character strings C programming
Handling of character strings C programmingHandling of character strings C programming
Handling of character strings C programmingAppili Vamsi Krishna
 
[ASM]Lab8
[ASM]Lab8[ASM]Lab8
[ASM]Lab8Nora Youssef
 
defense
defensedefense
defenseQing Dou
 
Huffman coding
Huffman coding Huffman coding
Huffman coding Nazmul Hyder
 
Strings in C
Strings in CStrings in C
Strings in CKamal Acharya
 
C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)Saifur Rahman
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2PVS-Studio
 

More Related Content

What's hot

String in c programming
String in c programmingString in c programming
String in c programmingDevan Thakur
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 
C programming - String
C programming - StringC programming - String
C programming - StringAchyut Devkota
 
Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Fernando Moreira
 
Code gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionCode gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionMarina Kolpakova
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
Handling of character strings C programming
Handling of character strings C programmingHandling of character strings C programming
Handling of character strings C programmingAppili Vamsi Krishna
 

What's hot (20)

String c
String cString c
String c
 
C string
C stringC string
C string
 
String in c programming
String in c programmingString in c programming
String in c programming
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limiters
 
Advanced+pointers
Advanced+pointersAdvanced+pointers
Advanced+pointers
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
 
C programming - String
C programming - StringC programming - String
C programming - String
 
Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++
 
Code gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionCode gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introduction
 
strings
stringsstrings
strings
 
GCC
GCCGCC
GCC
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5
 
C
CC
C
 
Csdfsadf
CsdfsadfCsdfsadf
Csdfsadf
 
C Programming Unit-3
C Programming Unit-3C Programming Unit-3
C Programming Unit-3
 
Handling of character strings C programming
Handling of character strings C programmingHandling of character strings C programming
Handling of character strings C programming
 
[ASM]Lab8
[ASM]Lab8[ASM]Lab8
[ASM]Lab8
 
defense
defensedefense
defense
 
Huffman coding
Huffman coding Huffman coding
Huffman coding
 
Strings in C
Strings in CStrings in C
Strings in C
 

Similar to Format String Vulnerability

C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)Saifur Rahman
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2PVS-Studio
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019corehard_by
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)bolovv
 
Lecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptxLecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptxJawadTanvir
 
Unit 4
Unit 4Unit 4
Unit 4siddr
 
A nice 64-bit error in C
A nice 64-bit error in CA nice 64-bit error in C
A nice 64-bit error in CPVS-Studio
 
Debugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerDebugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerPriyank Kapadia
 
StackOverflow
StackOverflowStackOverflow
StackOverflowSusam Pal
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
46630497 fun-pointer-1
46630497 fun-pointer-146630497 fun-pointer-1
46630497 fun-pointer-1AmIt Prasad
 
A compact bytecode format for JavaScriptCore
A compact bytecode format for JavaScriptCoreA compact bytecode format for JavaScriptCore
A compact bytecode format for JavaScriptCoreTadeu Zagallo
 
Hooking signals and dumping the callstack
Hooking signals and dumping the callstackHooking signals and dumping the callstack
Hooking signals and dumping the callstackThierry Gayet
 

Similar to Format String Vulnerability (20)

C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
 
ROP
ROPROP
ROP
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
 
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
Как работает LLVM бэкенд в C#. Егор Богатов ➠ CoreHard Autumn 2019
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)
 
test
testtest
test
 
Lecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptxLecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptx
 
Unit 4
Unit 4Unit 4
Unit 4
 
A nice 64-bit error in C
A nice 64-bit error in CA nice 64-bit error in C
A nice 64-bit error in C
 
Debugging Applications with GNU Debugger
Debugging Applications with GNU DebuggerDebugging Applications with GNU Debugger
Debugging Applications with GNU Debugger
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Quiz 9
Quiz 9Quiz 9
Quiz 9
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
 
46630497 fun-pointer-1
46630497 fun-pointer-146630497 fun-pointer-1
46630497 fun-pointer-1
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
A compact bytecode format for JavaScriptCore
A compact bytecode format for JavaScriptCoreA compact bytecode format for JavaScriptCore
A compact bytecode format for JavaScriptCore
 
Hooking signals and dumping the callstack
Hooking signals and dumping the callstackHooking signals and dumping the callstack
Hooking signals and dumping the callstack
 

Recently uploaded

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 

Recently uploaded (20)

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 

Format String Vulnerability

  • 2. 2 • briansp8210 • 交通大學資工系大二 • 喜歡學習 pwn 題的相關技巧 XD whoami
  • 5. Looking into stack with gdb buffer 5
  • 7. return address 1st argument address of buffer 2nd argument …… 6th argument 7th argument …… stack  printf() can have variable number of arguments .  For each format specifiers, it retrieves argument from stack .  If we provide enough format specifiers, we can finally fetch our target .  And when we get the offset of our target, we can do read / write on arbitrary address ! 7 Looking into stack with gdb
  • 8. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier 8
  • 9. Conversion specification %x : unsigned integer as hexadecimal %s : string pointed by the argument %p : pointer address %n : store the number of characters written so far by current call of printf() to the location pointed by the correspond argument . % [parameter] [flags] [width] [.precision] [length] specifier 9
  • 10. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: Use with [width], we can write arbitrary value to an address . 10
  • 11. (num)$ : access the (num)th argument to manipulate Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier 11
  • 12. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: when knowing the offset, we can use this to manipulate specific value on stack . 12
  • 13. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier %(num)c : output at least num character. 13
  • 14. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: Use with %n, we can write arbitrary value to an address . 14
  • 15. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier %h : interpret the argument as short int or short int* %hh : interpret the argument as char or char* 15
  • 16. Conversion specification % [parameter] [flags] [width] [.precision] [length] specifier Example: Usage: write only one or two bytes of data in the specified location. 16
  • 17. modify the value of variable 17
  • 18. What else can we do ?  Bypass stack canary  Leak libc address  GOT hijacking 18
  • 19. What else can we do ?  Bypass stack canary  Leak libc address  GOT hijacking 19
  • 20. Stack canary  Store a random number on stack .  Before return, check whether the value is the same with the original one .  Prevent the occurrence of stack overflow .  gcc option:  -fstack-protector (enable)  -fno-stack-protector (disable) 20
  • 21. How canary prevent us from exploiting …… …… …… …… return address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret buf eax = 0x14e9b800 21
  • 22. How canary prevent us from exploiting …… …… 0x14e9b800 …… return address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret 22 buf
  • 23. How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret 23 buf
  • 24. How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret edx = 0x41414141 24 buf
  • 25. How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret Because what we retrieve from stack now is not the original value, the result will not be 0 . 25 buf
  • 26. How canary prevent us from exploiting AAAA AAAA AAAA AAAA Controlled address …… stack ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret edx = 0x41414141 Since the result ≠ 0, it will not jump to <main+56> 26 buf
  • 27. How canary prevent us from exploiting ..... mov eax,gs:0x14 mov DWORD PTR [esp+0x2c],eax ..... call 0x8048330 <gets@plt> ..... mov edx,DWORD PTR [esp+0x2c] xor edx,DWORD PTR gs:0x14 je 0x80484a5 <main+56> call 0x8048340 <__stack_chk_fail@plt> leave ret 27
  • 28. Bypass stack canary • We can use fmt vulnerability to leak the canary . • When doing overflow, putting the leaked canary at the original position . 28
  • 29. What else can we do ?  Bypass stack canary  Leak libc address  GOT hijacking 29
  • 30. Lazy binding  Solve the waste of linking all function  binding a function when it was called the first time  without binding unused function  Implemented by PLT (Procedure Linkage Table)  _dl_runtime_resolve()  resolve a function which is called the first time 30
  • 31. How it exactly works 31
  • 32. How it exactly works When we call the function, it jumps to the .plt entry . This is why we can use .plt entry of a function as the address of the function in ret2libc exploit . 32
  • 33. How it exactly works If the function is called for the first time, its GOT entry just stores the next instruction’s address . 33
  • 34. How it exactly works 34
  • 35. How it exactly works After setting arguments, call _dl_runtime_resolve() 35
  • 36. How it exactly works 36
  • 37. How it exactly works When the function is called again, it will still jump to .plt entry . 37
  • 38. How it exactly works Since the address of the function in libc has been written on its GOT entry, it can directly jump and execute it . 38
  • 39. Leak libc address  For a dynamically linked program, foo() has been called at least once .  GOT entry of foo() will be address of foo() in libc .  Use the arbitrary read ability of format string vulnerability to leak this address.  If we know the offset of foo() in libc  Base address = address of foo() - offset 39
  • 40. GOT hijacking 40  To implement lazy binding, GOT is writable .  overwrite foo()’s GOT entry to bar()’s address .  next time program want to call foo(), will actually call bar() .
  • 41. GOT hijacking  To implement lazy binding, GOT is writable .  overwrite foo()’s GOT entry to bar()’s address .  next time program want to call foo(), will actually call bar() . 41
  • 43. Reference  程式設計師的自我修養 --連結. 載入. 程式庫  Format String Vulnerability  Introduction to format string exploits  Execution of ELF  Runtime Symbol Resolution 43