Format String Vulnerability 111518 Format String Vulnerability Format





![Format String Syntax • %1$08 d • %[argument_position]$[length][parameter] • Meaning • Print an integer Format String Syntax • %1$08 d • %[argument_position]$[length][parameter] • Meaning • Print an integer](https://slidetodoc.com/presentation_image_h/f90225dc01cac742f4181a150f05b731/image-6.jpg)


















- Slides: 24

Format String Vulnerability 11/15/18

Format String Vulnerability • Format String • printf(“%d %x %s %p %nn”, 1, 2, “asdf”, 3, &i); • The vulnerability • char buf[512]; • printf(“%s”, buf); • printf(buf);

Format String Vulnerability • Format String • printf(“%d %x %s %p %nn”, 1, 2, “asdf”, 3, &i); • Can be exploited as: • Arbitrary read • Arbitrary write

The Format String • Usage • printf(“%d %x %s”, 0, 65, “asdf”) • -> variable number of arguments • This will print 0 (decimal), 41 (hexadecimal), and “asdf” • % parameters • % is a special character in the Format String • % seeks for an argument (corresponding to its order…)

Format String Parameters • %d • Expects an integer value as its argument and print a decimal number • %x • Expects an integer value as its argument and print a hexadecimal number • %s • Expects an address to a string (char *) and print it as a string
![Format String Syntax 108 d argumentpositionlengthparameter Meaning Print an integer Format String Syntax • %1$08 d • %[argument_position]$[length][parameter] • Meaning • Print an integer](https://slidetodoc.com/presentation_image_h/f90225dc01cac742f4181a150f05b731/image-6.jpg)
Format String Syntax • %1$08 d • %[argument_position]$[length][parameter] • Meaning • Print an integer as a decimal value • Justify its length to length • Get the value from n-th argument • Print 8 -length decimal integer, with the value at the 1 st argument (padded with 0)

Format String Parameters • %d – Integer decimal %x – Integer hexadecimal • printf(“%2$08 d”, 15, 13, 14, “asdf”); • 00000013 • printf(“ 0 x%3$08 x”, 15, 13, 14, “asdf”); • 0 x 0000000 d • printf(“%3$20 s”, 15, 13, 14, “asdf”); • printf(“%4$20 s”, 15, 13, 14, “asdf”); • asdf %s – String

Format String Vulnerability • Useful directives • %x – print an argument as a hexadecimal value • %d – print an argument as a decimal value • %p – print an argument as a hexadecimal value with prefix 0 x • %s – print an argument as a string; read the data in the address • %n – treat an argument as an address, write the number of printed bytes…

Format String Parameters • %n – store # of printed characters • int i; • printf(“asdf%n”, &i); • i=4 • printf(“%12345 x%n”, 1, &i); • Print 1 as 12345 characters (“ ” * 12344 + “ 1”) • Store 12345 to i

In ASLR-2 • What kind of information this will print? ? ? • 15 values of %p (print hexadecimal number as 0 x? ? ? ? , an addr) • No arguments…

Stack RETURN ADDR 8 th SAVED %ebp 7 th RESV 6 th RESV 5 th RESV 4 th RESV 3 rd RESV 2 nd 0 x 80485 e 0 (1 st) 1 st

Stack Information Leak via FSV • printf(buf) • Type %p %p %p • This will eventually leak values in the stack

RETURN ADDR Where is the random in fs-read-1? 0 x 54 SAVED %ebp BUFFER Random is at -0 x 50(%ebp) random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf

Arbitrary Read via FSV • In fs-read-1 • %p %p …. • Why?

RETURN ADDR Arbitrary Read via FSV • The buffer is on the stack SAVED %ebp %p % 0 x 4 c • Your input can also be treated as an argument %p p %p %p % • Can you exploit this to perform arbitrary read via FSV? random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf

RETURN ADDR Arbitrary Read via FSV (%s) • Put address to read on the stack • Suppose the address is 0 x 804 a 010 (GOT of printf) SAVED %ebp XXXX 0 x 4 c XXXX %7$s 0 x 804 a 010 • Prepare the string input • “x 10xa 0x 04x 08%7$x” (print 0 x 804 a 010, test it first) • “x 10xa 0x 04x 08%7$s” (read the data!) random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf

Arbitrary Read via FSV (%s) • Capability • Can read “string” data in the address • Read terminates when it meets “x 00” • Tricks to read more… • “x 10xa 0x 04x 08x 11xa 0x 04x 08x 12xa 0x 04x 08x 13xa 0x 04x 08” • “%7$s|%8$s|%9$s|%10$s” • You will get values separated by | (observing || means that it is a null string) • E. g. , 1|2||3 then the value will be “ 12x 003”

RETURN ADDR Arbitrary Write via FSV (%n) • Put address to read on the stack • Suppose the address is 0 x 804 a 010 (GOT of printf) SAVED %ebp XXXX 0 x 4 c XXXX %7$s 0 x 804 a 010 • Prepare the string input • “x 10xa 0x 04x 08%7$x” (print 0 x 804 a 010, test it first) • “x 10xa 0x 04x 08%7$n” (write the data!) • Write 4, because it has printed “x 10xa 0x 04x 08” before the %7$n parameter random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf

Arbitrary Write via FSV (%n) • Can you write arbitrary values? Not just 4? • %10 x – prints 10 characters regardless the value of arugment • %10000 x – prints 10000 … • %1073741824 x – prints 2^30 characters … • How to write 0 xfaceb 00 c? • %4207489484 x • NO….

Arbitrary Write via FSV (%n) • Challenges… • Printing 4 billion characters is super SLOW… • Remote attack – you need to download 4 GB… • What about 64 bit machines – 48 bit addresses? • A trick • Split write into multiple times (2 times, 4 times, etc. )

Arbitrary Write via FSV (%n) • Writing 0 xfaceb 00 c to 0 x 804 a 010 • Prepare two addresses as arguments • “x 10xa 0x 04x 08x 12xa 0x 04x 08” • Printed 8 bytes • Write 0 xb 00 c at 0 x 0804 a 010 [ % (0 xb 00 c-8) n] • This will write 4 bytes, 0 x 0000 b 00 c at 0 x 804 a 010 ~ 0 x 804 a 014 • Write 0 xface at 0 x 804 a 012 [ % (0 xface – 0 xb 00 c) n] • This will write 4 bytes, 0 x 0000 face at 0 x 804 a 012 ~ 0 x 804 a 016 • What about 0 x 0000 at 0 x 804 a 014~0 x 804 a 016? • We do not care…

Arbitrary Write via FSV (%n) • Can we overwrite 0 x 12345678? • Write 0 x 5678 to the address • % (0 x 5678 – 8) n • Write 0 x 1234 to the (address + 2) • % (0 x 1234 – 0 x 5678) n • % (0 x 011234 – 0 x 5678) n • “x 10xa 0x 04x 08x 12xa 0x 04x 08%22128 x%7$n%48060 x%8$n

Aribtrary Code Execution via FSV • Suppose we have two FSV • Use %s to read the GOT of puts • Calculate the address of system() • Use %n to write the GOT of printf • To system() • Printf() will become system() • Done

Assignment: Week-6 • Please solve challenges in the /home/labs/week 8 directory • Challenges are in vm-ctf 2 • • • fs-read-1 fs-read-2 fs-write-1 fs-arbt-read fs-arbt-write fs-code-exec • Due: 11/29 23: 50 pm
Python String week 3 String string string string
String str String str 1 new String String
String String String String object import java util
Format String Vulnerability 2 Yeongjin Jang 030618 Format
Thursday 111518 AIM How did laissez faire capitalism
Participatory Vulnerability Analysis What is Vulnerability Vulnerability is
The string data type String String 1 The
String 24 PHP strtoupper string strtoupper string str
String Manipulation Java String class The String class
Algoritma Pencarian String String Matching Persoalan pencarian string
Strings String Builder String Buffer String Strings in
function combine Namesfirst string last string string return
String Abstractions String Verification Given a string manipulating
String Tokenization What is String Tokenization The String
String and String Builder Part I String All
STRING MANUPILATION STRING OPERATORS TYPES OF STRING OPERATORS
Rismayuni Manipulasi String Manipulasi String Pengerjaan suatu string
String Builder System String string is the alias
String Manipulation Java String class The String class
Algoritma Pencarian String String Matching Persoalan pencarian string
The string data type String String in general
Rismayuni Manipulasi String Manipulasi String Pengerjaan suatu string
public class Student String studentid String name String
String Review of String 1 String is a