Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 127: Exploit Development



Ch 4: Introduction to Format String
Bugs
Updated 9-11-19
Understanding Format Strings
Data Interpretation
• RAM contains bytes
• The same byte can be interpreted as
– An integer
– A character
– Part of an ins...
Format String Controls Output
Most Important for Us
• %x Hexadecimal
• %8x Hexadecimal padded to 8 chars
• %10x Hexadecimal padded to 10 chars
• %100x H...
Format String Vulnerabilities
Buffer Overflow
• This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
• C just does it, without ...
Format String Without Arguments
• printf("%x.%x.%x.%x");
– There are no arguments to print!
– Should give an error message...
Format String Controlled by User
Explanation
• %x.%x.%x.%x -- read 4 words from stack
• %n.%n -- write 2 numbers to RAM

addresses from the stack
%n Format String
• %n writes the number of characters
printed so far
• To the memory location pointed to by the
parameter
...
printf Family
• Format string bugs affect a whole family
of functions
Countermeasures
Defenses Against Format String
Vulnerabilities
• Stack defenses don't stop format string
exploits
– Canary value
• ASLR an...
Exploitation Technique
Steps for a Format String Exploit
• Control a write operation
• Find a target RAM location
– That will control execution
•...
Control a Parameter
• The format string is on the stack
• Insert four letters before the %x fields
• Controls the fourth p...
Target RAM Options
• Saved return address
– Like the Buffer Overflows we did previously
• Global Offset Table
– Used to fi...
Target RAM Options
• "atexit" structure (link Ch 4n)
• Any function pointer
• In Windows, the default unhandled
exception ...
Disassemble in gdb
• gdb -q ED204
• disassemble main
• First it calls printf
• Later it calls exit
Dynamic Relocation
(also called Global Offset Table (GOT))
• PLT and GOT are used to address shared
libraries
• See links ...
Writing to the GOT
• We control the eip!
Python Code to Write 1 Byte
Write 4 Bytes
Write Chosen Values in 4 Bytes
Write Chosen Values in 4 Bytes
Inserting Dummy Shellcode
xcc is BRK
View the Stack in gdb
• Choose an address in the NOP sled
Dummy Exploit Runs to xcc
Testing for Bad Characters
• Avoid these
Testing for Bad Characters
• All the other characters got through
Generate Shellcode
Keep Total Length of Injection Constant
• Add 'A' characters after shellcode
• To keep the stack frame size constant
Final Check
• Address
in NOP
sled
• Shellcode
intact
Shell
CNIT 127: Ch 4: Introduction to format string bugs
Upcoming SlideShare
Loading in …5
×

CNIT 127: Ch 4: Introduction to format string bugs

113 views

Published on

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.

Instructor: Sam Bowne

Class website: https://samsclass.info/127/127_F19.shtml

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 127: Ch 4: Introduction to format string bugs

  1. 1. CNIT 127: Exploit Development
 
 Ch 4: Introduction to Format String Bugs Updated 9-11-19
  2. 2. Understanding Format Strings
  3. 3. Data Interpretation • RAM contains bytes • The same byte can be interpreted as – An integer – A character – Part of an instruction – Part of an address – Part of a string – Many, many more...
  4. 4. Format String Controls Output
  5. 5. Most Important for Us • %x Hexadecimal • %8x Hexadecimal padded to 8 chars • %10x Hexadecimal padded to 10 chars • %100x Hexadecimal padded to 100 chars
  6. 6. Format String Vulnerabilities
  7. 7. Buffer Overflow • This code is obviously stupid char name[10]; strcpy(name, "Rumplestiltskin"); • C just does it, without complaining
  8. 8. Format String Without Arguments • printf("%x.%x.%x.%x"); – There are no arguments to print! – Should give an error message – Instead, C just pulls the next 4 values from the stack and prints them out – Can read memory on the stack – Information disclosure vulnerability
  9. 9. Format String Controlled by User
  10. 10. Explanation • %x.%x.%x.%x -- read 4 words from stack • %n.%n -- write 2 numbers to RAM
 addresses from the stack
  11. 11. %n Format String • %n writes the number of characters printed so far • To the memory location pointed to by the parameter • Can write to arbitrary RAM locations • Easy DoS • Possible remote code execution
  12. 12. printf Family • Format string bugs affect a whole family of functions
  13. 13. Countermeasures
  14. 14. Defenses Against Format String Vulnerabilities • Stack defenses don't stop format string exploits – Canary value • ASLR and NX – Can make exploitation more difficult • Static code analysis tools – Generally find format string bugs • gcc – Warnings, but no format string defenses
  15. 15. Exploitation Technique
  16. 16. Steps for a Format String Exploit • Control a write operation • Find a target RAM location – That will control execution • Write 4 bytes to target RAM location • Insert shellcode • Find the shellcode in RAM • Write shellcode address to target RAM location
  17. 17. Control a Parameter • The format string is on the stack • Insert four letters before the %x fields • Controls the fourth parameter – Note: sometimes it's much further down the list, such as parameter 300
  18. 18. Target RAM Options • Saved return address – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
  19. 19. Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
  20. 20. Disassemble in gdb • gdb -q ED204 • disassemble main • First it calls printf • Later it calls exit
  21. 21. Dynamic Relocation (also called Global Offset Table (GOT)) • PLT and GOT are used to address shared libraries • See links Ch 4o, 4p
  22. 22. Writing to the GOT • We control the eip!
  23. 23. Python Code to Write 1 Byte
  24. 24. Write 4 Bytes
  25. 25. Write Chosen Values in 4 Bytes
  26. 26. Write Chosen Values in 4 Bytes
  27. 27. Inserting Dummy Shellcode xcc is BRK
  28. 28. View the Stack in gdb • Choose an address in the NOP sled
  29. 29. Dummy Exploit Runs to xcc
  30. 30. Testing for Bad Characters • Avoid these
  31. 31. Testing for Bad Characters • All the other characters got through
  32. 32. Generate Shellcode
  33. 33. Keep Total Length of Injection Constant • Add 'A' characters after shellcode • To keep the stack frame size constant
  34. 34. Final Check • Address in NOP sled • Shellcode intact
  35. 35. Shell

×