Solved

Format String Vulnerabilities

Posted on 2008-10-11
7
290 Views
Last Modified: 2012-05-05
Hello to everyone!

After reading a paper called "Exploiting Format String Vulnerabilities" (page 14) for a class project I have, it seems to me that the following piece of code should work:

char h[] = "test";
char t[] = "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n";
char buf[400];

snprintf(buf, sizeof t, t);

The address of h is 0xbffffa67. The paper clearly states that the provided argument to snprintf should allow me to store an integer into h. When the snprintf tries to execute though it produces a segmentation fault. Can someone please point me to the right direction? What am I doing wrong here?

Also on a related note. I am no expert but I have a fairly good understanding of how the stack works. Still though, can somone explain to me what should happen when snprint is called? I feel confused as to how exactly '%08x' works, where and how things are stored on the stack on this call, and how exactly we manage to move the internal stack pointer of printf to our stored address.
0
Comment
Question by:epitsi
  • 5
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694460
>> When the snprintf tries to execute though it produces a segmentation fault.

You are providing a format string (t) with several placeholders (%08x etc.) - for each of these, you have to provide an actual value (of the right type) that needs to be put there.

Note also that the second parameter of snprintf should be the size of the buffer (400), not the size of the format string.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694470
So, a valid call to snprintf would be :

        unsigned int value;
        int cnt = 0;
        snprintf(buf, 400, t, value, value, value, value, value, &cnt);

which is the same as :

        snprintf(buf, 400, "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n", value, value, value, value, value, &cnt);
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694500
>> can somone explain to me what should happen when snprint is called?

It is a safe version of sprintf in that it has an extra parameter (the second) that specifies the maximum number of characters that snprintf will write into the provided buffer. It avoids a buffer overflow, assuming that you provided the correct value.

More info :

        http://linux.die.net/man/3/snprintf
        http://www.cplusplus.com/reference/clibrary/cstdio/sprintf.html


>> I feel confused as to how exactly '%08x' works

%08x is a format that says that it should be replaced by an integer value in hexadecimal notation (x), and it should be shown with a width of at least 8 characters (8), prepended by 0's if needed (0).


>> where and how things are stored on the stack on this call

Just like any normal function call, the arguments are (might be) stored on the stack (depending on the call convention and/or optimizations in effect).


>> and how exactly we manage to move the internal stack pointer of printf to our stored address.

Not sure what you mean by that ...
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:epitsi
ID: 22694556
Thanks for the quick reply. I can understand that what you said is considered the "legitimate" use of snprintf. Let's suppose though that we have the following code:

char buffer[512];
snprintf (buffer, sizeof (buffer), user);

What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing. Obviously this is not the intended use of snprintf but I know it can be done:

http://doc.bughunter.net/format-string/exploit-fs.html
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 250 total points
ID: 22694589
I'll try to be a bit more clear ;)

When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.

Now, since these values are not actually there, it will read whatever is in that location on the stack, and interpret it as if it were a correctly passed argument.

Does that make sense so far ?

Now :

>> What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing.

As in your original format string, there is a format %n which does something different from the others. Instead of being replaced by one of the extra arguments, it'll write a value TO the given address (which was not actually given as you'll remember - so it'll write to the address that it happens to find in the expected location on the stack).
The value it'll write there is the amount of characters written so far.

For more information on the %n format, check the reference page I posted earlier.
0
 

Author Comment

by:epitsi
ID: 22695425
<quote>When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.</quote>

Thanks for your help! For some reason I couldn't really understand what was happening on the stack with this, but the above quote made the trick!
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22695439
Do not hesitate to ask if something is still unclear.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand opening and reading files in the C programming language.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now