SlideShare a Scribd company logo

Format string vunerability

Download as ODP, PDF
N
nuc13us

I have presented this is cysinfo meet

Technology
1 of 15
Format String Vulnerability By Rakesh P Amrita University
→ Rakesh Paruchuri (nuc13us) Security Enthusiast→ Love playing CTFs (team bi0s)→ Intern with Amrita Center→ for Cyber Security
Outline: → Background → Introduction → Format string functions → Format specifiers → How printf works? → Exploiting format string → Format string vulnerability (vs) Buffer overflow
Background What is a vulnerability ? Binary Exploitation ? ● Buffer Overflow ● Heap Overflow ● Format string and many more.. Lets go a little deep into Format String
Program in execution Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables: Stack
Stack view during function calls
Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Stack 0XDEADCAFE Higher address Lower address
How printf works ● Printf can take variable number of arguments. – printf(<format string>,......); ● Arguments must be stored in the stack. ● Those arguments are accused through format specifiers that are given the format string. ● Format string = “%d” → assumes that there is one argument ● (“%s %d”) → two arguments
Format String Functions int printf(const char *format, ...); int fprintf(FILE *stream, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size_t size, const char *format, …);
Format Specifiers Format Specifier Description Passed as %d decimal value %u Unsigned decimal value %s String reference %x hexadecimal value %n Write number of bytes written so far reference
Exploiting Format String
What format string vulnerability can lead to? ● View the process memory ● Crash a program ● Overwrite instruction pointer or process memory location with malicious data
Format String Vulnerability (vs) Buffer overflow Buffer Overflow Format string Discovered in 1980’s Discovered in 1999 Number of exploits are in thousands Number of exploits are very less Security threat Programmers mistake Difficult to find out Easy to find
Attacks on Format String: Sudo - (privilege escalation) Peanch - instant messaging program CUPS- Printing system for unix CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers
Format string vunerability

Recommended

C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerabilitysluge
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
miniLesson on the printf() function
miniLesson on the printf() functionminiLesson on the printf() function
miniLesson on the printf() functionChristine Wolfe
 
Error correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cError correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cMd Nazmul Hossain Mir
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow nullnullowaspmumbai
 
C programming day#1
C programming day#1C programming day#1
C programming day#1Mohamed Fawzy
 

Recommended

C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerabilitysluge
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
miniLesson on the printf() function
miniLesson on the printf() functionminiLesson on the printf() function
miniLesson on the printf() functionChristine Wolfe
 
Error correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cError correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cMd Nazmul Hossain Mir
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow nullnullowaspmumbai
 
C programming day#1
C programming day#1C programming day#1
C programming day#1Mohamed Fawzy
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
File Handling in C Programming
File Handling in C ProgrammingFile Handling in C Programming
File Handling in C ProgrammingRavindraSalunke3
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
 
Format string vunerability
Format string vunerabilityFormat string vunerability
Format string vunerabilityCysinfo Cyber Security Community
 
C introduction
C introductionC introduction
C introductionMadhuriPareek
 
Advanced+pointers
Advanced+pointersAdvanced+pointers
Advanced+pointersRubal Bansal
 
TDD in C - Recently Used List Kata
TDD in C - Recently Used List KataTDD in C - Recently Used List Kata
TDD in C - Recently Used List KataOlve Maudal
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’eShikshak
 
Theory1&amp;2
Theory1&amp;2Theory1&amp;2
Theory1&amp;2Dr.M.Karthika parthasarathy
 
Introduction to Python Programming | InsideAIML
Introduction to Python Programming | InsideAIMLIntroduction to Python Programming | InsideAIML
Introduction to Python Programming | InsideAIMLVijaySharma802
 
2 data and c
2 data and c2 data and c
2 data and cMomenMostafa
 
C tutorial
C tutorialC tutorial
C tutorialKhan Rahimeen
 
C
CC
CKhan Rahimeen
 
Loops in Python
Loops in PythonLoops in Python
Loops in PythonArockia Abins
 
C operators
C operatorsC operators
C operatorssrmohan06
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharman|u - The Open Security Community
 
Lecture 8- Data Input and Output
Lecture 8- Data Input and OutputLecture 8- Data Input and Output
Lecture 8- Data Input and OutputMd. Imran Hossain Showrov
 
Types of pointer in C
Types of pointer in CTypes of pointer in C
Types of pointer in Crgnikate
 
Unit1 C
Unit1 CUnit1 C
Unit1 Carnold 7490
 
CPU INPUT OUTPUT
CPU INPUT OUTPUT CPU INPUT OUTPUT
CPU INPUT OUTPUT Aditya Vaishampayan
 
Format string Attack
Format string AttackFormat string Attack
Format string Attackicchy
 
CTFを楽しむやで
CTFを楽しむやでCTFを楽しむやで
CTFを楽しむやでTakeru Ujinawa
 

More Related Content

What's hot

Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
File Handling in C Programming
File Handling in C ProgrammingFile Handling in C Programming
File Handling in C ProgrammingRavindraSalunke3
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
 
TDD in C - Recently Used List Kata
TDD in C - Recently Used List KataTDD in C - Recently Used List Kata
TDD in C - Recently Used List KataOlve Maudal
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’eShikshak
 
Introduction to Python Programming | InsideAIML
Introduction to Python Programming | InsideAIMLIntroduction to Python Programming | InsideAIML
Introduction to Python Programming | InsideAIMLVijaySharma802
 
Types of pointer in C
Types of pointer in CTypes of pointer in C
Types of pointer in Crgnikate
 

What's hot (20)

Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
 
File Handling in C Programming
File Handling in C ProgrammingFile Handling in C Programming
File Handling in C Programming
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
 
Format string vunerability
Format string vunerabilityFormat string vunerability
Format string vunerability
 
C introduction
C introductionC introduction
C introduction
 
Advanced+pointers
Advanced+pointersAdvanced+pointers
Advanced+pointers
 
TDD in C - Recently Used List Kata
TDD in C - Recently Used List KataTDD in C - Recently Used List Kata
TDD in C - Recently Used List Kata
 
Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’Mesics lecture 5 input – output in ‘c’
Mesics lecture 5 input – output in ‘c’
 
Theory1&amp;2
Theory1&amp;2Theory1&amp;2
Theory1&amp;2
 
Introduction to Python Programming | InsideAIML
Introduction to Python Programming | InsideAIMLIntroduction to Python Programming | InsideAIML
Introduction to Python Programming | InsideAIML
 
2 data and c
2 data and c2 data and c
2 data and c
 
C tutorial
C tutorialC tutorial
C tutorial
 
C
CC
C
 
Loops in Python
Loops in PythonLoops in Python
Loops in Python
 
C operators
C operatorsC operators
C operators
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
 
Lecture 8- Data Input and Output
Lecture 8- Data Input and OutputLecture 8- Data Input and Output
Lecture 8- Data Input and Output
 
Types of pointer in C
Types of pointer in CTypes of pointer in C
Types of pointer in C
 
Unit1 C
Unit1 CUnit1 C
Unit1 C
 
CPU INPUT OUTPUT
CPU INPUT OUTPUT CPU INPUT OUTPUT
CPU INPUT OUTPUT
 

Viewers also liked

Format string Attack
Format string AttackFormat string Attack
Format string Attackicchy
 
シェル芸初心者によるシェル芸入門 (修正版)
シェル芸初心者によるシェル芸入門 (修正版)シェル芸初心者によるシェル芸入門 (修正版)
シェル芸初心者によるシェル芸入門 (修正版)icchy
 
Summary of "Hacking", 0x351-0x354
Summary of "Hacking", 0x351-0x354Summary of "Hacking", 0x351-0x354
Summary of "Hacking", 0x351-0x354Taku Miyakawa
 
Trend Micro CTF Asia Pacific & Japan -defensive100-
Trend Micro CTF Asia Pacific & Japan -defensive100-Trend Micro CTF Asia Pacific & Japan -defensive100-
Trend Micro CTF Asia Pacific & Japan -defensive100-boropon
 
CTF初心者🔰
CTF初心者🔰CTF初心者🔰
CTF初心者🔰icchy
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料SECCON Beginners
 

Viewers also liked (7)

Format string Attack
Format string AttackFormat string Attack
Format string Attack
 
CTFを楽しむやで
CTFを楽しむやでCTFを楽しむやで
CTFを楽しむやで
 
シェル芸初心者によるシェル芸入門 (修正版)
シェル芸初心者によるシェル芸入門 (修正版)シェル芸初心者によるシェル芸入門 (修正版)
シェル芸初心者によるシェル芸入門 (修正版)
 
Summary of "Hacking", 0x351-0x354
Summary of "Hacking", 0x351-0x354Summary of "Hacking", 0x351-0x354
Summary of "Hacking", 0x351-0x354
 
Trend Micro CTF Asia Pacific & Japan -defensive100-
Trend Micro CTF Asia Pacific & Japan -defensive100-Trend Micro CTF Asia Pacific & Japan -defensive100-
Trend Micro CTF Asia Pacific & Japan -defensive100-
 
CTF初心者🔰
CTF初心者🔰CTF初心者🔰
CTF初心者🔰
 
CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料CTF for ビギナーズ バイナリ講習資料
CTF for ビギナーズ バイナリ講習資料
 

Similar to Format string vunerability

C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial javaTpoint s
 
C Programming Language
C Programming LanguageC Programming Language
C Programming LanguageRTS Tech
 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewToe Khaing
 
2. Data, Operators, IO.ppt
2. Data, Operators, IO.ppt2. Data, Operators, IO.ppt
2. Data, Operators, IO.pptswateerawat06
 
2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdfAlexKarasulu1
 
20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_security20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_securityComputer Science Club
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 
Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Functionimtiazalijoono
 
Stream Based Input Output
Stream Based Input OutputStream Based Input Output
Stream Based Input OutputBharat17485
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for MiddlewareManuel Brugnoli
 
Format string
Format stringFormat string
Format stringVu Review
 
C,c++ interview q&a
C,c++ interview q&aC,c++ interview q&a
C,c++ interview q&aKumaran K
 
Introduction to c
Introduction to cIntroduction to c
Introduction to camol_chavan
 

Similar to Format string vunerability (20)

C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial
 
dinoC_ppt.pptx
dinoC_ppt.pptxdinoC_ppt.pptx
dinoC_ppt.pptx
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
C tutorial
C tutorialC tutorial
C tutorial
 
C Programming Language
C Programming LanguageC Programming Language
C Programming Language
 
Software Security
Software SecuritySoftware Security
Software Security
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of View
 
2. Data, Operators, IO.ppt
2. Data, Operators, IO.ppt2. Data, Operators, IO.ppt
2. Data, Operators, IO.ppt
 
2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf
 
20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_security20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_security
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
 
Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function
 
Stream Based Input Output
Stream Based Input OutputStream Based Input Output
Stream Based Input Output
 
Secure Coding Practices for Middleware
Secure Coding Practices for MiddlewareSecure Coding Practices for Middleware
Secure Coding Practices for Middleware
 
Format string
Format stringFormat string
Format string
 
Unit1 C
Unit1 CUnit1 C
Unit1 C
 
C,c++ interview q&a
C,c++ interview q&aC,c++ interview q&a
C,c++ interview q&a
 
Introduction to c
Introduction to cIntroduction to c
Introduction to c
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Format string vunerability

  • 2. → Rakesh Paruchuri (nuc13us) Security Enthusiast→ Love playing CTFs (team bi0s)→ Intern with Amrita Center→ for Cyber Security
  • 3. Outline: → Background → Introduction → Format string functions → Format specifiers → How printf works? → Exploiting format string → Format string vulnerability (vs) Buffer overflow
  • 4. Background What is a vulnerability ? Binary Exploitation ? ● Buffer Overflow ● Heap Overflow ● Format string and many more.. Lets go a little deep into Format String
  • 5. Program in execution Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables: Stack
  • 6. Stack view during function calls
  • 7. Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Stack 0XDEADCAFE Higher address Lower address
  • 8. How printf works ● Printf can take variable number of arguments. – printf(<format string>,......); ● Arguments must be stored in the stack. ● Those arguments are accused through format specifiers that are given the format string. ● Format string = “%d” → assumes that there is one argument ● (“%s %d”) → two arguments
  • 9. Format String Functions int printf(const char *format, ...); int fprintf(FILE *stream, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size_t size, const char *format, …);
  • 10. Format Specifiers Format Specifier Description Passed as %d decimal value %u Unsigned decimal value %s String reference %x hexadecimal value %n Write number of bytes written so far reference
  • 12. What format string vulnerability can lead to? ● View the process memory ● Crash a program ● Overwrite instruction pointer or process memory location with malicious data
  • 13. Format String Vulnerability (vs) Buffer overflow Buffer Overflow Format string Discovered in 1980’s Discovered in 1999 Number of exploits are in thousands Number of exploits are very less Security threat Programmers mistake Difficult to find out Easy to find
  • 14. Attacks on Format String: Sudo - (privilege escalation) Peanch - instant messaging program CUPS- Printing system for unix CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers