Skip to main content

Playing around with format string vulnerability

· 2 min read
Strider

Hi, I haven't done much hacking lately, so I want to show what other interesting ways there are to exploit programs. One possibility is the format string attack.

What is a format string attack? A format string attack uses the format string method in C/C++ programs. With it the stack can be read out, manipulated. In the worst case one can procure oneself thereby even privileged rights.

With which functions in C/C++ do format string vulnerabilities arise in the worst case?

FunctionDescription
fprintfoutputs in a filestream
printfoutputs in stdout
sprintfoutputs in a string
snprintfoutputs in a string + length check
vfprintfoutputs in a filestream via va_arg
vprintfoutputs to stdout via va_arg
vsprintfoutputs in a string about va_arg
vsnprintfoutputs in a string + length check, via va_arg

These examples are passed an argument and output it with printf.

#include <stdio.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
printf("Your input: %s\n", argv[1]);
return 0;
}

A normal output of Printf looks like this.

dia.png

The second example is similar to the first except that there is no formatting.

#include <stdio.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
printf(argv[1]);
return 0;
}

The result is somewhat peculiar.

dia2.png

There is a format string vulnerability here. You can see how the hello followed by the rest of the stack.

Stackreadout and direct access.

An input with 600 %x which outputs the contents on the stack in hexadecimal looks like this:

dia3.png

Here you can see how the content of the stack looks like. We find at the 4th position the AAAA in hex representation. Behind the 4 A's you can see the pattern %08x. on the stack.

Here you can also make a direct access to the single contents of the stack.

dia4.png

In GDB you can see, if you replace the 4th %X by a %n, that a controlling access to the register EAX is possible. The operator %n is to be written around.

dia5.png

This is now only read access to the vulnerability. It's worse if you have write access there. Do that in another post.

I hope you enjoyed it and yoa hear from each other in the next part 😄