CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Attacking Applications: SQL Injection & Buffer Overflows.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
CS390S, Week 4: Format String Vulnerabilities & Integer Overflows Pascal Meunier, Ph.D., M.Sc., CISSP January 31, 2007 Developed thanks to the support.
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Part II Let’s make it real Memory Layout of a Process.
CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Introduction to Information Security ROP – Recitation 5.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
CSC 482/582: Computer Security
Introduction to Information Security
Secure Programming Dr. X
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Return Oriented Programming
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
Secure Programming Dr. X
Module 30 (Unix/Linux Security Issues II)
Introduction to Information Security
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
SEED Workshop Buffer Overflow Lab
Software Security Lesson Introduction
Format String.
Lecture 9: Buffer Overflow*
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
CSC 495/583 Topics of Software Security StackGuard & Format String Bug
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Week 2: Buffer Overflow Part 1.
Week 2: Buffer Overflow Part 2.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
System and Cyber Security
Several Tips on Project 1
Week 3: Format String Vulnerability
Format String Vulnerability
Return-to-libc Attacks
Presentation transcript:

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs

Understanding Format Strings

Data Interpretation RAM contains bytes The same byte can be interpreted as – An integer – A character – Part of an instruction – Part of an address – Part of a string – Many, many more...

Format String Controls Output

Format String Demo

Most Important for Us %xHexadecimal %8xHexadecimal padded to 8 chars %10xHexadecimal padded to 10 chars %100xHexadecimal padded to 100 chars

Format String Vulnerabilities

Buffer Overflow This code is obviously stupid char name[10]; strcpy(name, "Rumplestiltskin"); C just does it, without complaining

Format String Without Arguments printf("%x.%x.%x.%x"); – There are no arguments to print! – Should give an error message – Instead, C just pulls the next 4 values from the stack and prints them out – Can read memory on the stack – Information disclosure vulnerability

Format String Controlled by Attacker

%n Format String %n writes the number of characters printed so far To the memory location pointed to by the parameter Can write to arbitrary RAM locations Easy DoS Possible remote code execution

printf Family Format string bugs affect a whole family of functions

Countermeasures

Defenses Against Format String Vulnerabilities Stack defenses don't stop format string exploits – Canary value ASLR and NX – Can make exploitation more difficult Static code analysis tools – Generally find format string bugs gcc – Warnings, but no format string defenses

Exploitation Technique

Steps Control a parameter Find a target RAM location – That will control execution Write 4 bytes to target RAM location Insert shellcode Find the shellcode in RAM Write shellcode to target RAM location

Control a Parameter Insert four letters before the %x fields Controls the fourth parameter – Note: sometimes it's much further down the list, such as parameter 300

Target RAM Options Saved return address – Like the Buffer Overflows we did previously Global Offset Table – Used to find shared library functions Destructors table (DTORS) – Called when a porgram exits C Library Hooks

Target RAM Options "atexit" structure (link Ch 4n) Any function pointer In Windows, the default unhandled exception handler is easy to find and exploit

Disassemble in gdb

Targeting the GOT

Writing to Target RAM We now control the destination address, but not the value written there

Python Code to Write 4 Bytes

Changing One Byte Add 16 to %16x Previously Now – Each byte increased by 13

Python Code to Write a Chosen Word

Inserting Dummy Shellcode \xcc is BRK

View the Stack in gdb Choose an address in the NOP sled

Dummy Exploit Runs to \xcc

Testing for Bad Characters \x09 is bad

Testing for Bad Characters \x10 is bad

Testing for Bad Characters Started at 11 = 0x0b \x20 is bad

Testing for Bad Characters Started at 33 = 0x21 No more bad characters

Generate Shellcode msfvenom -p linux/x86/shell_bind_tcp -b '\x00\x09\x0a\x20' PrependFork=true -f python

Keep Total Length of Injection Constant May not be necessary, but it's a good habit

Final Check Address in NOP sled Shellcode intact

Shell (in gdb) Wait for the port to close Test it outside gdb

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.