CNIT 127: 4: Format string bugs
SamBowne
504 views
42 slides
Sep 15, 2018
Slide 1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
About This Presentation
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/1...
Slide Content
CNIT 127: Exploit Development
Ch 4: Introduction to Format String
Bugs
Updated 9-15-18
Ch 4: Introduction to Format String
Bugs
Updated 9-15-18
Understanding Format Strings
Data Interpretation
•RAM contains bytes
•The same byte can be interpreted as
–An integer
–A character
–Part of an instruction
–Part of an address
–Part of a string
–Many, many more...
•RAM contains bytes
•The same byte can be interpreted as
–An integer
–A character
–Part of an instruction
–Part of an address
–Part of a string
–Many, many more...
Format String Controls Output
Most Important for Us
•%x Hexadecimal
•%8x Hexadecimal padded to 8 chars
•%10x Hexadecimal padded to 10 chars
•%100x Hexadecimal padded to 100 chars
•%x Hexadecimal
•%8x Hexadecimal padded to 8 chars
•%10x Hexadecimal padded to 10 chars
•%100x Hexadecimal padded to 100 chars
Format String Vulnerabilities
Buffer Overflow
•This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
•C just does it, without complaining
•This code is obviously stupid
char name[10];
strcpy(name, "Rumplestiltskin");
•C just does it, without complaining
Format String Without Arguments
•printf("%x.%x.%x.%x");
–There are no arguments to print!
–Should give an error message
–Instead, C just pulls the next 4 values from
the stack and prints them out
–Can read memory on the stack
–Information disclosure vulnerability
•printf("%x.%x.%x.%x");
–There are no arguments to print!
–Should give an error message
–Instead, C just pulls the next 4 values from
the stack and prints them out
–Can read memory on the stack
–Information disclosure vulnerability
Format String Controlled by Attacker
Explanation
•%x.%x.%x.%x -- read 4 words from stack
•%n.%n -- write 2 numbers to RAM
addresses from the stack
•%x.%x.%x.%x -- read 4 words from stack
•%n.%n -- write 2 numbers to RAM
addresses from the stack
%n Format String
•%n writes the number of characters
printed so far
•To the memory location pointed to by the
parameter
•Can write to arbitrary RAM locations
•Easy DoS
•Possible remote code execution
•%n writes the number of characters
printed so far
•To the memory location pointed to by the
parameter
•Can write to arbitrary RAM locations
•Easy DoS
•Possible remote code execution
printf Family
•Format string bugs affect a whole family
of functions
•Format string bugs affect a whole family
of functions
Countermeasures
Defenses Against Format String
Vulnerabilities
•Stack defenses don't stop format string
exploits
–Canary value
•ASLR and NX
–Can make exploitation more difficult
•Static code analysis tools
–Generally find format string bugs
•gcc
–Warnings, but no format string defenses
Vulnerabilities
•Stack defenses don't stop format string
exploits
–Canary value
•ASLR and NX
–Can make exploitation more difficult
•Static code analysis tools
–Generally find format string bugs
•gcc
–Warnings, but no format string defenses
Exploitation Technique
Steps for a Format String Exploit
•Control a write operation
•Find a target RAM location
–That will control execution
•Write 4 bytes to target RAM location
•Insert shellcode
•Find the shellcode in RAM
•Write shellcode address to target RAM
location
•Control a write operation
•Find a target RAM location
–That will control execution
•Write 4 bytes to target RAM location
•Insert shellcode
•Find the shellcode in RAM
•Write shellcode address to target RAM
location
Control a Parameter
•The format string is on the stack
•Insert four letters before the %x fields
•Controls the fourth parameter
–Note: sometimes it's much further down the
list, such as parameter 300
•The format string is on the stack
•Insert four letters before the %x fields
•Controls the fourth parameter
–Note: sometimes it's much further down the
list, such as parameter 300
Target RAM Options
•Saved return address
–Like the Buffer Overflows we did previously
•Global Offset Table
–Used to find shared library functions
•Destructors table (DTORS)
–Called when a program exits
•C Library Hooks
•Saved return address
–Like the Buffer Overflows we did previously
•Global Offset Table
–Used to find shared library functions
•Destructors table (DTORS)
–Called when a program exits
•C Library Hooks
Target RAM Options
•"atexit" structure (link Ch 4n)
•Any function pointer
•In Windows, the default unhandled
exception handler is easy to find and
exploit
•"atexit" structure (link Ch 4n)
•Any function pointer
•In Windows, the default unhandled
exception handler is easy to find and
exploit
Disassemble in gdb
•gdb -q fs
•disassemble main
•First it calls printf
•Later it calls putchar, using the address at
0x804a018
•gdb -q fs
•disassemble main
•First it calls printf
•Later it calls putchar, using the address at
0x804a018
Dynamic Relocation
(also called Global Offset Table (GOT))
•PLT and GOT are used to address shared
libraries
•See links Ch 4o, 4p
(also called Global Offset Table (GOT))
•PLT and GOT are used to address shared
libraries
•See links Ch 4o, 4p
Targeting the GOT
•Global Offset Table
•Pointer to putchar at 0804a018
•Change pointer to hijack execution
•Global Offset Table
•Pointer to putchar at 0804a018
•Change pointer to hijack execution
Writing to the GOT
•We control the eip!
•We control the eip!
Python Code to Write 1 Byte
Write 4 Bytes, All The Same
Write 4 Bytes, Increment = 16
Write 00000000
Write Chosen Values in 4 Bytes
Write Chosen Values in 4 Bytes
Inserting Dummy Shellcode
\xcc is BRK
\xcc is BRK
View the Stack in gdb
•Choose an address in the NOP sled
•Choose an address in the NOP sled
Dummy Exploit Runs to \xcc
Testing for Bad Characters
•\x09 is bad
•\x09 is bad
Testing for Bad Characters
•10 is bad
•10 is bad
Testing for Bad Characters
•\x20 is bad
•\x20 is bad
Testing for Bad Characters
•Started at 33 = 0x21
•No more bad characters
•Started at 33 = 0x21
•No more bad characters
Generate Shellcode
•msfvenom -p linux/x86/shell_bind_tcp
• -b '\x00\x09\x0a\x20'
• PrependFork=true
• -f python
•msfvenom -p linux/x86/shell_bind_tcp
• -b '\x00\x09\x0a\x20'
• PrependFork=true
• -f python
Keep Total Length of Injection Constant
•Required to keep the stack frame size
constant
•Required to keep the stack frame size
constant
Final Check
•Address in NOP sled
•Shellcode intact
•Address in NOP sled
•Shellcode intact
Shell (in gdb)
Outside gdb
•Crashed with segfault on Kali 2018.1
•Had to add 0x30 to address
•Crashed with segfault on Kali 2018.1
•Had to add 0x30 to address
Categories
EducationDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 504
- Slides 42
- Favorites 2
- Age 2635 days
Related Slideshows
11
TLE-9-Prepare-Salad-and-Dressing.pptxkkk
MaAngelicaCanceran
32 views
12
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx
JojitGueta
27 views
60
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru
MaAngelicaCanceran
42 views
26
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx
KaistaGlow
41 views
![Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx](https://slidepub.com/thumb/5828/284015828.jpg)
54
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx
acecamero20
25 views
7
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd
acecamero20
25 views