Scribd
Upload
49 views8 pages

More Control Hijacking Attacks: Format String Vulnerabilities

The document discusses format string vulnerabilities, which can occur when user-controlled input is used directly in a format string in a printing function like printf. This allows attackers to read arbitrary memory or write to arbitrary memory locations by including format specifiers in the input. Specific examples are provided that demonstrate dumping stack data or writing arbitrary values to memory by abusing the %n specifier. Developers must ensure any user input is sanitized before using in format strings to prevent exploitation of format string vulnerabilities.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
49 views8 pages

More Control Hijacking Attacks: Format String Vulnerabilities

The document discusses format string vulnerabilities, which can occur when user-controlled input is used directly in a format string in a printing function like printf. This allows attackers to read arbitrary memory or write to arbitrary memory locations by including format specifiers in the input. Specific examples are provided that demonstrate dumping stack data or writing arbitrary values to memory by abusing the %n specifier. Developers must ensure any user input is sanitized before using in format strings to prevent exploitation of format string vulnerabilities.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Module 1.

3
More Control Hijacking
Attacks: Format String
Vulnerabilities
Control Hijacking

Formal String
Vulnerabilities
Format String Example 1
#include <stdio.h>
#include <stdlib.h>

int main() {
int A = 5, B = 7, count_one, count_two;

// Example of a %n format string


printf("The number of bytes written up to this point X%n is being stored in
count_one, and the number of bytes up to here X%n is being stored in
count_two.\n", &count_one, &count_two);

printf("count_one: %d\n", count_one);


printf("count_two: %d\n", count_two);

// Stack Example
printf("A is %d and is at %08x. B is %x.\n", A, &A, B);

exit(0);
}

$ ./a.out
The number of bytes written up to this point X is being stored in count_one, and the number of bytes up
to here X is being storied in count_two.
count_one: 46
count_two: 113
A is 5 and is at bffff7f4. B is 7.
Format String Example 2
#include <stdio.h>
#include <stdlib.h>

int main() {
int A = 5, B = 7, count_one, count_two;

// Example of a %n format string


printf("The number of bytes written up to this point X%n is being stored in
count_one, and the number of bytes up to here X%n is being stored in
count_two.\n", &count_one, &count_two);

printf("count_one: %d\n", count_one);


printf("count_two: %d\n", count_two);

// Stack Example
printf("A is %d and is at %08x. B is %x.\n", A, &A);

exit(0);
}

$ ./a.out
The number of bytes written up to this point X is being stored in count_one, and the number of bytes
up to here X is being storied in count_two.
count_one: 46
count_two: 113
A is 5 and is at bffff7f4. B is b7fd6ff4
Format String Example 3
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {


char text[1024];
static int test_val = -72;
if(argc < 2) {
printf("Usage: %s <text to print>\n", argv[0]);
exit(0);
}
strcpy(text, argv[1]);
printf("The right way to print user-controlled input:\n");
printf("%s", text);
printf("\nThe wrong way to print user-controlled input:\n");
printf(text);
printf("\n");
// Debug output
printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val,
test_val);
exit(0);
}

$ ./fmt_vuln testing%x

$ ./fmt_vuln $(perl e print %08x.x40)


Format string problem

int func(char *user) {


fprintf( stderr, user);
}
Problem: what if *user = %s%s%s%s%s%s%s ??
Most likely program will crash: DoS.
If not, program will print memory contents. Privacy?
Correct form: fprintf( stdout, %s, user);
Vulnerable functions
Any function using a format string.

Printing:
printf, fprintf, sprintf,
vprintf, vfprintf, vsprintf,

Logging:
syslog, err, warn
Exploit
Dumping arbitrary memory:
Walk up stack until desired pointer is found.

printf( %08x.%08x.%08x.%08x|%s|)

Writing to arbitrary memory:


printf( hello %n, &temp) -- writes 6 into temp.

printf( %08x.%08x.%08x.%08x.%n)

You might also like