Format string exploits, Part 1-the vulnerability warning-the black bar safety net

2015-08-07T00:00:00
ID MYHACK58:62201565460
Type myhack58
Reporter 佚名
Modified 2015-08-07T00:00:00

Description

Format string vulnerabilities are a class allows an attacker at an arbitrary memory address to perform read or write operations of the software defects. This tutorial is the main concern of the C programming the program and for the formatted string function to use. Before we start understanding software defects before, we must first know what is the format string. A formatted string that is an ASCII string, which includes text and format parameters. For example, printf("My name is: %s", "nops"); The function call will return a string My name is: nops The printf function's first parameter is the formatting string, it is mainly rely on one to tell the program how to format the output of the specifier. In C Program we have a number to a formatted string of the descriptor, these descriptors later we can fill our content. Remember, the specifier of the prefix is always the“%”character, in addition specifiers there are many different data types, the most common include: %d - decimal - output a decimal integer %s - string - read from memory string %x - hexadecimal - output the hexadecimal number %c - character - output character %p - pointer pointer - pointer to address %n - so far the characters written number of There may be a format string vulnerability in the function include, but are not limited to fprintf, printf, sprintf, snprintf,etc. The vulnerability exists primarily programmers for user input no better than the filter cause, below we through an example to illustrate:

include

int main(int argc, char * argv[]) { char a[1 0 2 4]; strcpy(a, argv[1]); printf(a); printf("\n"); } This code will put the received string as a parameter, create a 1 0 2 4 a string buffer, then the string is copied to the buffer, and finally call the two printf function to format output. In the normal case of compiling and running the program gets to the first parameter is to be expected if you're concerned about buffer overflow vulnerabilities is very clear on. root@localhost:~/#gcc test. c-o test root@localhost:~/# ./ test blah blah But if we look carefully at the printf documentation, we learn to call the first parameter a special formatting string specifier. In our simple test code, we can see that argv[1]will be passed as a parameter to the printf function. So, we have users provide that the hackers provided the data will be interpreted into a formatted string, which is very dangerous. Next we will look at this type of attack an example root@localhost:~/# ./ test %s TERM_PROGRAM=Apple_Terminal We Type%s as an attack parameter, it will burst out some information about our terminal information. Why is this so? This is because the printf function to think that it will be printed next stack address, then the data will be understood that into a string. This is because we will be%s as the format string in the code it is just a variable, then we in the vulnerability of the program to add more formatting string, see what happens. root@localhost:~/# ./ test %s.% s TERM_PROGRAM=Apple_Terminal. (null) Currently, we added a second format string argument, by“.” Be separated, the next stack value is null. For the second parameter to increase a null value, we get to the same terminal information. This attack is on the stack directly read the value in the stack if the stored password, key, etc. that you want to be dangerous. We try to use this technology to read more information, the program will burst segmentation error. root@localhost:~/# ./ test %s.% s.% s Segmentation fault: 1 1 But we can further exploit the vulnerability, the value pushed onto the stack. In order to better understand this principle, we must be clear printf specifications in two characteristics,"%n"can be used to store date write the number of characters in the corresponding parameter with an integer to indicate the variable name. int i; printf("ABCDE%n", &i); the printf function will be 5(just written the number of characters written into the i variable? We need to understand the second characteristic is the“$”operator, which allows us from the formatted string is selected as a specific parameter. For example, printf("%3$s", 1, "b", "c", 4); The end will display the result“c”. This is because the format string“%3$s”, which tell the computer to“put the format string after the first three parameters tell me, and then the parameter is interpreted as string”. So, we can also do this printf("AAA%3$n"); the printf function will value of“3”to the input of A number written in the third parameter points to the address. Wait, we don't have the third parameter! Remember slightly, printf will use the stack on a continuous parameter. In any case, printf will be a“3”written to the stack in a certain address. Well, I personally think is cool. We obtain a stack in the leak of data, as well as one not subject to the control of the original arbitrary write-what-where to. In order to exploit this vulnerability to execute code we can control the written content, we can control where to write the content. We can only be on the stack in any position of the write operation, is not a panacea. In the next section we'll talk about ShellCode development, and give us the BUG to add the attack payload, so we can control the data.