180 likes | 335 Views
Format strings. Reporter : Nickle. Nickle@NSC. Agenda. Introduction Reading from arbitrary memory address Write to arbitrary memory address Direct parameter access Detours with dtors Overwriting the global offset table Conclusion. Introduction. Printf() function Format %d - decimal
E N D
Format strings Reporter : Nickle Nickle@NSC
Agenda • Introduction • Reading from arbitrary memory address • Write to arbitrary memory address • Direct parameter access • Detours with dtors • Overwriting the global offset table • Conclusion
Introduction • Printf() function • Format • %d - decimal • %u - unsigned decimal • %x - hexadecimal • %s - string, start address of string • %n – number of bytes written so far
Introduction (cont.) Low address EBP • printf(“blah %d %d %d %d”,a ,b ,c ,d); • Then, if d is missed? • %d will print the value of forth parameter position • EBP – OFFSET • The format-string vulnerability • printf(“%s”,string); • printf(string); Address of format string a b c d -4 * 4 High address
Reading from arbitrary memory address • The format-string is processed one by one • Format parameter %s read the address and print out the content until it reach NULL byte • If we can control the address which %s read, we can get any content in whole memory • Demo code (fmt_vuln.c)
Reading from arbitrary memory address • The input parameter • %s read the content which the address is in the beginning of format string ... Target address %x. %x. %x. %s offset
Low address Reading from arbitrary memory address .... EBP SFP • The memory layout RET Address of format string .... buffer Local variable SFP RET .... High address
Write to arbitrary memory address • Format parameter %n will write the number of byte written so far to the variable • printf(“blablabla %n”,variable); • demo cdoe (fmt_vuln)
Write to arbitrary memory address • The input parameter • Control the written value (%βx) ... Target address %x. %x. %x. %n offset ... Target address %x. %x. %βx. %n offset
Write to arbitrary memory address • Write the address into target
Write to arbitrary memory address • Write once • Target address ... Target address %x. %βx. %n. %βx. %n. %βx. %n. %βx. %n 08049570 08049572 OFFSET 08049571 OFFSET 08049573 OFFSET 4 bytes 4 bytes 4 bytes
Write to arbitrary memory address • Who to calculate the β? • E.g. 0x dd cc bb aa • Current target value is X • The last width of %x is Y • Calculate it • X – Y = Z • 0xaa – Z = β1 • 0xbb – 0xaa = β2 • 0xcc – 0xbb = β3 • 0xdd – 0xcc = β4 ... Target address %x. %β1x. %n. %β2x. %n. %β3x. %n. %β4 x. %n
Write to arbitrary memory address • Simple way to calculate • Fmtbuilder - http://packetstormsecurity.org/papers/unix/fmtbuild.htm • Formulate • 0xbfbff26c (HOB => 0xbfbf, LOB => 0xf26c) • HOB < LOB • addr+2addr%.[HOB -8]x%[offset]$hn%.[LOB -HOB]x[offset+ 1]$hn • HOB > LOB • addr+2addr%.[LOB -8]x%[offset + 1]$hn%.[HOB -LOB]x[offset]$hn
Direct parameter access • Format parameter • %N$x – the Nth parameter Target address %x. ... %βx. %n %βx. %n %βx. %n %βx. %n Target address %θ$βx. % θ$ n %θ$βx. % θ$ n %θ$βx. % θ$ n %θ$βx. % θ$ n
Detours with dtors • .dtors and .ctors are made for destructors and constructors • .dtors section is writable • .dtors section is that it is included in all binaries compiled with the GNU C compiler • Dome code
Overwriting the global offset table • Procedure linkage table (PLT) • Consist of many jump instructions • But the PLT is read-only • The address in PLT are not the address which they jump, but pointers to addresses • These memory addresses lie in another special section, called the global offset table (GOT) • It is writeable • Demo code
Conclusion • Using the format function must be carefully • You can read/write from/to arbitrary memory address
Reference • Hacking – the art of exploitation, Jon Erickson • Format String Vulnerability, Kudo