Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Published byAbraham Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs."— Presentation transcript:

1 CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs

2 Understanding Format Strings

3 Data Interpretation RAM contains bytes The same byte can be interpreted as – An integer – A character – Part of an instruction – Part of an address – Part of a string – Many, many more...

4 Format String Controls Output

5 Format String Demo

6 Most Important for Us %xHexadecimal %8xHexadecimal padded to 8 chars %10xHexadecimal padded to 10 chars %100xHexadecimal padded to 100 chars

7 Format String Vulnerabilities

8 Buffer Overflow This code is obviously stupid char name[10]; strcpy(name, "Rumplestiltskin"); C just does it, without complaining

9 Format String Without Arguments printf("%x.%x.%x.%x"); – There are no arguments to print! – Should give an error message – Instead, C just pulls the next 4 values from the stack and prints them out – Can read memory on the stack – Information disclosure vulnerability

10 Format String Controlled by Attacker

11 %n Format String %n writes the number of characters printed so far To the memory location pointed to by the parameter Can write to arbitrary RAM locations Easy DoS Possible remote code execution

12 printf Family Format string bugs affect a whole family of functions

13 Countermeasures

14 Defenses Against Format String Vulnerabilities Stack defenses don't stop format string exploits – Canary value ASLR and NX – Can make exploitation more difficult Static code analysis tools – Generally find format string bugs gcc – Warnings, but no format string defenses

15 Exploitation Technique

16 Steps Control a parameter Find a target RAM location – That will control execution Write 4 bytes to target RAM location Insert shellcode Find the shellcode in RAM Write shellcode to target RAM location

17 Control a Parameter Insert four letters before the %x fields Controls the fourth parameter – Note: sometimes it's much further down the list, such as parameter 300

18 Target RAM Options Saved return address – Like the Buffer Overflows we did previously Global Offset Table – Used to find shared library functions Destructors table (DTORS) – Called when a porgram exits C Library Hooks

19 Target RAM Options "atexit" structure (link Ch 4n) Any function pointer In Windows, the default unhandled exception handler is easy to find and exploit

20 Disassemble in gdb

21 Targeting the GOT

22 Writing to Target RAM We now control the destination address, but not the value written there

23 Python Code to Write 4 Bytes

24 Changing One Byte Add 16 to %16x Previously Now – Each byte increased by 13

25 Python Code to Write a Chosen Word

26 Inserting Dummy Shellcode \xcc is BRK

27 View the Stack in gdb Choose an address in the NOP sled

28 Dummy Exploit Runs to \xcc

29 Testing for Bad Characters \x09 is bad

30 Testing for Bad Characters \x10 is bad

31 Testing for Bad Characters Started at 11 = 0x0b \x20 is bad

32 Testing for Bad Characters Started at 33 = 0x21 No more bad characters

33 Generate Shellcode msfvenom -p linux/x86/shell_bind_tcp -b '\x00\x09\x0a\x20' PrependFork=true -f python

34 Keep Total Length of Injection Constant May not be necessary, but it's a good habit

35 Final Check Address in NOP sled Shellcode intact

36 Shell (in gdb) Wait for the port to close Test it outside gdb

Download ppt "CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel 2.4.20-8smp on an i686.

CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
CS390S, Week 4: Format String Vulnerabilities & Integer Overflows Pascal Meunier, Ph.D., M.Sc., CISSP January 31, 2007 Developed thanks to the support.

CS390S, Week 4: Format String Vulnerabilities & Integer Overflows Pascal Meunier, Ph.D., M.Sc., CISSP January 31, 2007 Developed thanks to the support.
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

Similar presentations

Ads by Google