Jump to content
  • Advertisement
Sign in to follow this  
nb2

format string vulnerability exploitation

This topic is 3660 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

hello, I am attempting to exploit a format string vulnerability in a C program in order to 1)crash the program, 2)print out the secret[1] value, 3)modify the secret[1] value, 4) modify the secret[1] value to a pre-determined value. Here is the vulnerable code:

/* vul_prog.c */ 

#define SECRET1 0x44
#define SECRET2 0x55

int main(int argc, char *argv[])
{
  char user_input[100];
  int *secret;
  int int_input;
  int a, b, c, d; /* other variables, not used here.*/

  /* The secret value is stored on the heap */
  secret = (int *) malloc(2*sizeof(int));

  /* getting the secret */
  secret[0] = SECRET1; secret[1] = SECRET2;

  printf("The variable secret's address is 0x%8x (on stack)\n", &secret);
  printf("The variable secret's value is 0x%8x (on heap)\n", secret);
  printf("secret[0]'s address is 0x%8x (on heap)\n", &secret[0]);
  printf("secret[1]'s address is 0x%8x (on heap)\n", &secret[1]);

  printf("Please enter a decimal integer\n");
  scanf("%d", &int_input);  /* getting an input from user */
  printf("Please enter a string\n");
  scanf("%s", user_input); /* getting a string from user */

  /* Vulnerable place */
  printf(user_input);  
  printf("\n");

  /* Verify whether your attack is successful */
  printf("The original secrets: 0x%x -- 0x%x\n", SECRET1, SECRET2);
  printf("The new secrets:      0x%x -- 0x%x\n", secret[0], secret[1]);
  return 0;
}
All I have to do is provide the appropriate input. I've got the first part (how to crash the program), unfortunately I can't figure out any of the other parts. For the second part I tried to provide a series of "%08x" to print out the memory, but I need to print out the actual contents, not the memory addresses. I've been trying to figure this out for days now, any help would be appreciated. Thanks!!

Share this post


Link to post
Share on other sites
Advertisement
You've got to earn your degree, so do your homework yourself.

Oh, and crashing the program is not really that much of an achievement.

Share this post


Link to post
Share on other sites
Quote:
Original post by Stereo
You've got to earn your degree, so do your homework yourself.


He's not asking you to do it for him, he's just asking for some guidance.

Quote:
Original post by nb2
For the second part I tried to provide a series of "%08x" to print out the memory, but I need to print out the actual contents, not the memory addresses.


I'm probably misunderstanding you, but wouldn't you do this the same way as you would print any other value? For example, if I want to print an int val, I would write: printf("%d", val)

Share this post


Link to post
Share on other sites
Quote:
Original post by Gage64
Quote:
Original post by Stereo
You've got to earn your degree, so do your homework yourself.



He's not asking you to do it for him, he's just asking for some guidance.

Quote:
Original post by nb2
For the second part I tried to provide a series of "%08x" to print out the memory, but I need to print out the actual contents, not the memory addresses.


I'm probably misunderstanding you, but wouldn't you do this the same way as you would print any other value? For example, if I want to print an int val, I would write: printf("%d", val)


Yes, but I am not supposed to change the vulnerable code at all, I am just supposed to provide input to the program to accomplish the objectives. The vulnerability in the program lies in the fact that to output the string of user input, the statetment:
printf(user_input)

is used, instead of:

printf("%s", user_input)

So I basically need to figure out what input to give to the program which prints it out using the (incorrect version of the) printf statement to show the secret value.

And I would not be posting here if I had not tried my hardest to fully understand and solve the problem.

Thanks again for your help.

Share this post


Link to post
Share on other sites
thats a nice one!
I knew C style format string can crash programs (from experience) but haven't thought of using it to hack.

edit: actually my previous hint wasn't helping so I deleted it :b sorry.

what I wanted to say was look at the scanf for possibilities,
and think about the order of the variables in memory

Share this post


Link to post
Share on other sites
From 'man printf':
Quote:

n

The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.


Because the input buffer is fixed size, it should also be possible to execute arbitrary code. (Though I won't say how exactly.)

Share this post


Link to post
Share on other sites
Quote:
Original post by Quinnie
This might be interesting to read...
http://julianor.tripod.com/bc/formatstring-1.2.pdf


Thanks, but I've already read that and tried to follow their suggestions. I was still unable to output the actual contents of the memory addresses. Do you know of anything that I could provide as input that would cause the printf statement in the code given to actually output the contents of an address, rather than the address itself?

Share this post


Link to post
Share on other sites
Quote:
Original post by nb2
Do you know of anything that I could provide as input that would cause the printf statement in the code given to actually output the contents of an address, rather than the address itself?


As stated in that PDF %s will do that, but it'll obviously need a bit more work to print the whole thing as there are some 0 bytes in the data.

Share this post


Link to post
Share on other sites
Quote:
Original post by nb2
Quote:
Original post by Quinnie
This might be interesting to read...
http://julianor.tripod.com/bc/formatstring-1.2.pdf


Thanks, but I've already read that and tried to follow their suggestions. I was still unable to output the actual contents of the memory addresses. Do you know of anything that I could provide as input that would cause the printf statement in the code given to actually output the contents of an address, rather than the address itself?


As the article states use %s with a few %08xes to control what is printed.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!