Hi, I haven't done much hacking lately, so I want to show what other interesting ways there are to exploit programs. One possibility is the format string attack.
What is a format string attack? A format string attack uses the format string method in C/C++ programs. With it the stack can be read out, manipulated. In the worst case one can procure oneself thereby even privileged rights.
With which functions in C/C++ do format string vulnerabilities arise in the worst case?
Function | Description |
---|---|
fprintf | outputs in a filestream |
printf | outputs in stdout |
sprintf | outputs in a string |
snprintf | outputs in a string + length check |
vfprintf | outputs in a filestream via va_arg |
vprintf | outputs to stdout via va_arg |
vsprintf | outputs in a string about va_arg |
vsnprintf | outputs in a string + length check, via va_arg |
These examples are passed an argument and output it with printf.
#include <stdio.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
printf("Your input: %s\n", argv[1]);
return 0;
}
A normal output of Printf looks like this.
The second example is similar to the first except that there is no formatting.
#include <stdio.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
printf(argv[1]);
return 0;
}
The result is somewhat peculiar.
There is a format string vulnerability here. You can see how the hello followed by the rest of the stack.
Stackreadout and direct access.
An input with 600 %x which outputs the contents on the stack in hexadecimal looks like this:
Here you can see how the content of the stack looks like. We find at the 4th position the AAAA in hex representation. Behind the 4 A's you can see the pattern %08x. on the stack.
Here you can also make a direct access to the single contents of the stack.
In GDB you can see, if you replace the 4th %X by a %n, that a controlling access to the register EAX is possible. The operator %n is to be written around.
This is now only read access to the vulnerability. It's worse if you have write access there. Do that in another post.
I hope you enjoyed it and yoa hear from each other in the next part 😄