Solved

Format String Vulnerabilities

Posted on 2008-10-11
7
296 Views
Last Modified: 2012-05-05
Hello to everyone!

After reading a paper called "Exploiting Format String Vulnerabilities" (page 14) for a class project I have, it seems to me that the following piece of code should work:

char h[] = "test";
char t[] = "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n";
char buf[400];

snprintf(buf, sizeof t, t);

The address of h is 0xbffffa67. The paper clearly states that the provided argument to snprintf should allow me to store an integer into h. When the snprintf tries to execute though it produces a segmentation fault. Can someone please point me to the right direction? What am I doing wrong here?

Also on a related note. I am no expert but I have a fairly good understanding of how the stack works. Still though, can somone explain to me what should happen when snprint is called? I feel confused as to how exactly '%08x' works, where and how things are stored on the stack on this call, and how exactly we manage to move the internal stack pointer of printf to our stored address.
0
Comment
Question by:epitsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694460
>> When the snprintf tries to execute though it produces a segmentation fault.

You are providing a format string (t) with several placeholders (%08x etc.) - for each of these, you have to provide an actual value (of the right type) that needs to be put there.

Note also that the second parameter of snprintf should be the size of the buffer (400), not the size of the format string.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694470
So, a valid call to snprintf would be :

        unsigned int value;
        int cnt = 0;
        snprintf(buf, 400, t, value, value, value, value, value, &cnt);

which is the same as :

        snprintf(buf, 400, "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n", value, value, value, value, value, &cnt);
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694500
>> can somone explain to me what should happen when snprint is called?

It is a safe version of sprintf in that it has an extra parameter (the second) that specifies the maximum number of characters that snprintf will write into the provided buffer. It avoids a buffer overflow, assuming that you provided the correct value.

More info :

        http://linux.die.net/man/3/snprintf
        http://www.cplusplus.com/reference/clibrary/cstdio/sprintf.html


>> I feel confused as to how exactly '%08x' works

%08x is a format that says that it should be replaced by an integer value in hexadecimal notation (x), and it should be shown with a width of at least 8 characters (8), prepended by 0's if needed (0).


>> where and how things are stored on the stack on this call

Just like any normal function call, the arguments are (might be) stored on the stack (depending on the call convention and/or optimizations in effect).


>> and how exactly we manage to move the internal stack pointer of printf to our stored address.

Not sure what you mean by that ...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:epitsi
ID: 22694556
Thanks for the quick reply. I can understand that what you said is considered the "legitimate" use of snprintf. Let's suppose though that we have the following code:

char buffer[512];
snprintf (buffer, sizeof (buffer), user);

What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing. Obviously this is not the intended use of snprintf but I know it can be done:

http://doc.bughunter.net/format-string/exploit-fs.html
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 250 total points
ID: 22694589
I'll try to be a bit more clear ;)

When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.

Now, since these values are not actually there, it will read whatever is in that location on the stack, and interpret it as if it were a correctly passed argument.

Does that make sense so far ?

Now :

>> What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing.

As in your original format string, there is a format %n which does something different from the others. Instead of being replaced by one of the extra arguments, it'll write a value TO the given address (which was not actually given as you'll remember - so it'll write to the address that it happens to find in the expected location on the stack).
The value it'll write there is the amount of characters written so far.

For more information on the %n format, check the reference page I posted earlier.
0
 

Author Comment

by:epitsi
ID: 22695425
<quote>When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.</quote>

Thanks for your help! For some reason I couldn't really understand what was happening on the stack with this, but the above quote made the trick!
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22695439
Do not hesitate to ask if something is still unclear.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand opening and reading files in the C programming language.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question