Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Format String Vulnerabilities

Posted on 2008-10-11
7
Medium Priority
?
301 Views
Last Modified: 2012-05-05
Hello to everyone!

After reading a paper called "Exploiting Format String Vulnerabilities" (page 14) for a class project I have, it seems to me that the following piece of code should work:

char h[] = "test";
char t[] = "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n";
char buf[400];

snprintf(buf, sizeof t, t);

The address of h is 0xbffffa67. The paper clearly states that the provided argument to snprintf should allow me to store an integer into h. When the snprintf tries to execute though it produces a segmentation fault. Can someone please point me to the right direction? What am I doing wrong here?

Also on a related note. I am no expert but I have a fairly good understanding of how the stack works. Still though, can somone explain to me what should happen when snprint is called? I feel confused as to how exactly '%08x' works, where and how things are stored on the stack on this call, and how exactly we manage to move the internal stack pointer of printf to our stored address.
0
Comment
Question by:epitsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694460
>> When the snprintf tries to execute though it produces a segmentation fault.

You are providing a format string (t) with several placeholders (%08x etc.) - for each of these, you have to provide an actual value (of the right type) that needs to be put there.

Note also that the second parameter of snprintf should be the size of the buffer (400), not the size of the format string.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694470
So, a valid call to snprintf would be :

        unsigned int value;
        int cnt = 0;
        snprintf(buf, 400, t, value, value, value, value, value, &cnt);

which is the same as :

        snprintf(buf, 400, "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n", value, value, value, value, value, &cnt);
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694500
>> can somone explain to me what should happen when snprint is called?

It is a safe version of sprintf in that it has an extra parameter (the second) that specifies the maximum number of characters that snprintf will write into the provided buffer. It avoids a buffer overflow, assuming that you provided the correct value.

More info :

        http://linux.die.net/man/3/snprintf
        http://www.cplusplus.com/reference/clibrary/cstdio/sprintf.html


>> I feel confused as to how exactly '%08x' works

%08x is a format that says that it should be replaced by an integer value in hexadecimal notation (x), and it should be shown with a width of at least 8 characters (8), prepended by 0's if needed (0).


>> where and how things are stored on the stack on this call

Just like any normal function call, the arguments are (might be) stored on the stack (depending on the call convention and/or optimizations in effect).


>> and how exactly we manage to move the internal stack pointer of printf to our stored address.

Not sure what you mean by that ...
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:epitsi
ID: 22694556
Thanks for the quick reply. I can understand that what you said is considered the "legitimate" use of snprintf. Let's suppose though that we have the following code:

char buffer[512];
snprintf (buffer, sizeof (buffer), user);

What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing. Obviously this is not the intended use of snprintf but I know it can be done:

http://doc.bughunter.net/format-string/exploit-fs.html
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 1000 total points
ID: 22694589
I'll try to be a bit more clear ;)

When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.

Now, since these values are not actually there, it will read whatever is in that location on the stack, and interpret it as if it were a correctly passed argument.

Does that make sense so far ?

Now :

>> What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing.

As in your original format string, there is a format %n which does something different from the others. Instead of being replaced by one of the extra arguments, it'll write a value TO the given address (which was not actually given as you'll remember - so it'll write to the address that it happens to find in the expected location on the stack).
The value it'll write there is the amount of characters written so far.

For more information on the %n format, check the reference page I posted earlier.
0
 

Author Comment

by:epitsi
ID: 22695425
<quote>When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.</quote>

Thanks for your help! For some reason I couldn't really understand what was happening on the stack with this, but the above quote made the trick!
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22695439
Do not hesitate to ask if something is still unclear.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
The goal of this video is to provide viewers with basic examples to understand and use structures in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question