CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
1 like654 views
The document provides an introduction to format string bugs, detailing how format strings can lead to vulnerabilities such as buffer overflow and memory disclosure. It explains exploitation techniques involving control of parameters, locating target RAM, and writing arbitrary values. Additionally, it discusses countermeasures and defenses against these vulnerabilities, emphasizing the importance of careful coding practices and static analysis tools.
![Buffer Overflow
• This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
• C just does it, without complaining](https://image.slidesharecdn.com/ch4-170210012532/85/CNIT-127-Ch-4-Introduction-to-format-string-bugs-rev-2-9-17-8-320.jpg)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
- 1. CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs Updated 2-9-17
- 3. Data Interpretation • RAM contains bytes • The same byte can be interpreted as – An integer – A character – Part of an instruction – Part of an address – Part of a string – Many, many more...
- 4. Format String Controls Output
- 6. Most Important for Us • %x Hexadecimal • %8x Hexadecimal padded to 8 chars • %10x Hexadecimal padded to 10 chars • %100x Hexadecimal padded to 100 chars
- 8. Buffer Overflow • This code is obviously stupid char name[10]; strcpy(name, "Rumplestiltskin"); • C just does it, without complaining
- 9. Format String Without Arguments • printf("%x.%x.%x.%x"); – There are no arguments to print! – Should give an error message – Instead, C just pulls the next 4 values from the stack and prints them out – Can read memory on the stack – Information disclosure vulnerability
- 10. Format String Controlled by Attacker
- 11. Explanation • %x.%x.%x.%x -- read 4 words from stack • %n.%n.%n.%n -- write 4 numbers to RAM locations from the stack
- 12. %n Format String • %n writes the number of characters printed so far • To the memory location pointed to by the parameter • Can write to arbitrary RAM locations • Easy DoS • Possible remote code execution
- 13. printf Family • Format string bugs affect a whole family of functions
- 14. Countermeasures
- 15. Defenses Against Format String Vulnerabilities • Stack defenses don't stop format string exploits – Canary value • ASLR and NX – Can make exploitation more difficult • Static code analysis tools – Generally find format string bugs • gcc – Warnings, but no format string defenses
- 17. Steps • Control a parameter • Find a target RAM location – That will control execution • Write 4 bytes to target RAM location • Insert shellcode • Find the shellcode in RAM • Write shellcode address to target RAM location
- 18. Control a Parameter • Insert four letters before the %x fields • Controls the fourth parameter – Note: sometimes it's much further down the list, such as parameter 300
- 19. Target RAM Options • Saved return address – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
- 20. Target RAM Options • "atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
- 21. Disassemble in gdb • First it calls printf • With a format string vulnerability • Then it calls puts
- 22. Targeting the GOT • Pointer to puts • Change pointer to hijack execution
- 23. Writing to Target RAM • We now control the destination address, but not the value written there
- 24. Python Code to Write 1 Word
- 25. Write 4 Words, All The Same
- 26. Write 4 Bytes, All The Same
- 27. Write 4 Bytes, Increment=8
- 28. Write 0 in First Byte
- 29. Write Chosen Value in 1st Byte
- 30. Write Chosen Values in Bytes 1-2
- 31. Write Chosen Values in Bytes 1-2
- 32. Write Chosen Values in 4 Bytes
- 33. Write Chosen Values into 4 Bytes
- 35. Write 4 Bytes, Arbitrary
- 36. Python Code to Write a Chosen Word
- 37. Inserting Dummy Shellcode • xcc is BRK
- 38. View the Stack in gdb • Choose an address in the NOP sled
- 39. Dummy Exploit Runs to xcc
- 40. Testing for Bad Characters • x09 is bad
- 41. Testing for Bad Characters • x10 is bad
- 42. Testing for Bad Characters • Started at 11 = 0x0b • x20 is bad
- 43. Testing for Bad Characters • Started at 33 = 0x21 • No more bad characters
- 44. Generate Shellcode • msfvenom -p linux/x86/shell_bind_tcp • -b 'x00x09x0ax20' • PrependFork=true • -f python
- 45. Keep Total Length of Injection Constant • May not be necessary, but it's a good habit
- 46. Final Check • Address in NOP sled • Shellcode intact
- 47. Shell (in gdb) • Wait for the port to close • Test it outside gdb