Downloaded 38 times
![Buffer Overflow
• This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
• C just does it, without complaining](https://image.slidesharecdn.com/127-ch4-180915141719/85/CNIT-127-4-Format-string-bugs-7-320.jpg)
![Buffer Overflow
• This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
• C just does it, without complaining](https://image.slidesharecdn.com/127-ch4-180915141719/75/CNIT-127-4-Format-string-bugs-7-2048.jpg)
Uploaded bySam Bowne
CNIT 127: 4: Format string bugs
The document discusses format string vulnerabilities in programming, explaining how format strings can lead to memory disclosure and exploitation, including potential remote code execution. It outlines various exploitation techniques and defenses, detailing how attackers manipulate function parameters to overwrite memory and control execution flow. The text also covers countermeasures, code analysis tools, and the significance of format string bugs across various output functions.
More Related Content
Similar to CNIT 127: 4: Format string bugs
![[MOSUT] Format String Attacks](https://cdn.slidesharecdn.com/ss_thumbnails/aj-140116200425-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
CNIT 127: 4: Format string bugs
- 1. CNIT 127: ExploitDevelopment Ch 4: Introduction to Format String Bugs Updated 9-15-18
- 2.
- 3. Data Interpretation • RAMcontains bytes • The same byte can be interpreted as – An integer – A character – Part of an instruction – Part of an address – Part of a string – Many, many more...
- 4. Format String ControlsOutput
- 5. Most Important forUs • %x Hexadecimal • %8x Hexadecimal padded to 8 chars • %10x Hexadecimal padded to 10 chars • %100x Hexadecimal padded to 100 chars
- 6.
- 7. Buffer Overflow • Thiscode is obviously stupid char name[10]; strcpy(name, "Rumplestiltskin"); • C just does it, without complaining
- 8. Format String WithoutArguments • printf("%x.%x.%x.%x"); – There are no arguments to print! – Should give an error message – Instead, C just pulls the next 4 values from the stack and prints them out – Can read memory on the stack – Information disclosure vulnerability
- 9. Format String Controlledby Attacker
- 10. Explanation • %x.%x.%x.%x --read 4 words from stack • %n.%n -- write 2 numbers to RAM addresses from the stack
- 11. %n Format String •%n writes the number of characters printed so far • To the memory location pointed to by the parameter • Can write to arbitrary RAM locations • Easy DoS • Possible remote code execution
- 12. printf Family • Formatstring bugs affect a whole family of functions
- 13.
- 14. Defenses Against FormatString Vulnerabilities • Stack defenses don't stop format string exploits – Canary value • ASLR and NX – Can make exploitation more difficult • Static code analysis tools – Generally find format string bugs • gcc – Warnings, but no format string defenses
- 15.
- 16. Steps for aFormat String Exploit • Control a write operation • Find a target RAM location – That will control execution • Write 4 bytes to target RAM location • Insert shellcode • Find the shellcode in RAM • Write shellcode address to target RAM location
- 17. Control a Parameter •The format string is on the stack • Insert four letters before the %x fields • Controls the fourth parameter – Note: sometimes it's much further down the list, such as parameter 300
- 18. Target RAM Options •Saved return address – Like the Buffer Overflows we did previously • Global Offset Table – Used to find shared library functions • Destructors table (DTORS) – Called when a program exits • C Library Hooks
- 19. Target RAM Options •"atexit" structure (link Ch 4n) • Any function pointer • In Windows, the default unhandled exception handler is easy to find and exploit
- 20. Disassemble in gdb •gdb -q fs • disassemble main • First it calls printf • Later it calls putchar, using the address at 0x804a018
- 21. Dynamic Relocation (also calledGlobal Offset Table (GOT)) • PLT and GOT are used to address shared libraries • See links Ch 4o, 4p
- 22. Targeting the GOT •Global Offset Table • Pointer to putchar at 0804a018 • Change pointer to hijack execution
- 23. Writing to theGOT • We control the eip!
- 24. Python Code toWrite 1 Byte
- 25. Write 4 Bytes,All The Same
- 26. Write 4 Bytes,Increment = 16
- 27.
- 28. Write Chosen Valuesin 4 Bytes
- 29. Write Chosen Valuesin 4 Bytes
- 30.
- 31. View the Stackin gdb • Choose an address in the NOP sled
- 32. Dummy Exploit Runsto xcc
- 33. Testing for BadCharacters • x09 is bad
- 34. Testing for BadCharacters • 10 is bad
- 35. Testing for BadCharacters • x20 is bad
- 36. Testing for BadCharacters • Started at 33 = 0x21 • No more bad characters
- 37. Generate Shellcode • msfvenom-p linux/x86/shell_bind_tcp • -b 'x00x09x0ax20' • PrependFork=true • -f python
- 38. Keep Total Lengthof Injection Constant • Required to keep the stack frame size constant
- 39. Final Check • Addressin NOP sled • Shellcode intact
- 40.
- 41. Outside gdb • Crashedwith segfault on Kali 2018.1 • Had to add 0x30 to address