ホーム エクスプローラ ヘルプ
登録 サインイン
Nimayer
/
polimd
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 0088eadeb7
ブランチ タグ
polimd
/
Computer Security
/
lesson_10.md

lesson_10.md 2.1 KB
履歴 Raw

Computer Security - lesson 10

Stefano Zanero

5 May 2016

Format String Bugs

The format string bugs are typical of C language but the idea can be applied also to other languages. The key part of a string formatting function is the format string The first parameter of the f.s.f. is Interpreted as the format string So whatever i pass to the function, the function use it. In the format string there are placeholders that tell the function how many more parameters there are, and the function is going to look for those on the stack.

So we can access arbitrary data on stack, so we can:

  • Bypass ASLR by knowing the stack allocation address

It would be interesting if we would be able to write on the stack. There is the %n placeholder that is used to write on a variable the number of characters currently written. This was used to count characters to create command line interface on fixed terminals, but it's not used anymore.

At some point in the stack we will find the same variable we passed to the format string function.

Our current limit is that we can pass only a 256 charachter string to the format string variable, but hopefully the format string function acceps %N$x as a placeholder, that tells the program to fetch the Nth parameters, that even if it doesn't exist, it corresponds to some value on the stack.

As of now i can only write the number of characters currently printed, but i would like to write in memory an arbitrary number. The trick is to use %Nc that padds the printed number with N figures. The number accepted is a short int (16bits,64K max value) But i can still write 32bit values by using two %c and writing first the number with the lower value and then the number with the higher value (Using another %c).

What i need for the complete exploit is:

"<addr1>[4bytes]<addr2>%x%x%x%x%c%n%c%n"

I will need to tune the %c parameter based on the actual lenght of the string and the target value (length) that we want to write in memory.

The simple %n overflows and writes always 4bytes word, to write 16 bits at a time we can use %hn