A easy Format String Vuln Example.

[3vilp4wn]

Hey all,

I made a little program for you to try to hack, as a demonstration of format string vulns.

It's quite easy to crash, and getting data from the stack isn't that hard.

Here's the code:

Code: Select all

//This was only tested with Code::Blocks on Windows XP:

#include <stdio.h>

int main()
{
    char str [80];
    printf("Welcome to hackme #1!\n\n");
    printf("TESO's Format String vuln info may be useful.\nIt can be found at \"http://www.win.tue.nl/~aeb/linux/hh/formats-teso.html\".\n\nGood Luck!\n\n");
    printf("You have 2 goals:\n    *Crash The program.\n    *Fetch any data from the stack.\n\n");
    printf("Enter your name: ");
    scanf("%s", str);

    //I don't know about printf("Hello, %s.", str);
    printf("Hello, ");
    printf(str);
    printf(".");
    return 0;
}


And for those of you who want to cheat (select to view):

To crash the program:
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Or, buffer overflow style (92 a's!):
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

To get data from the stack [WIP]:
%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x


Have fun!

[KthProg]

If it's not too much to ask, could you explain a little more about why this works?
I have a really basic understanding of 'stacks' in a program and pointers and things like that because I'm not very familiar with lower-level languages, so a better explanation would be awesome.
lol nice job on hiding the answer.

[WallShadow]

Cool, gonna go crack this in a second, though you should always mention what platform is it for. Even though it compiles on win, more recent win computers have Data Execution Prevention set by default which prevents a simple hack of it and requires something like a return-to-libc exploit. And as for ASLR, i have no clue, but there are probably some OS's that have that set by default as well.

other than that, good job on educating HTS. <3

[3vilp4wn]

If it's not too much to ask, could you explain a little more about why this works?

Sure.

So C++ has built in things called "Format Strings" that you can put in strings. You may have seen some of them. The syntax is like so:

Code: Select all

printf("Hello, %s.", "KthProg")


That will replace "%s" with "KthProg".
If you notice, I *didn't* use that syntax in the program. That is A Bad Thing.
For example, look at these 2 programs. One crashes, one doesn't:

Bad:

Code: Select all

Printf("%s%s%s%s")


Good:

Code: Select all

Printf("%s", "%s%s%s%s")


The reason for that is that when you use the format string, it sanitizes the string coming in, making it useful for user input. In the bad example, it can't find what it's supposed to put in place of the "%s"s, so it crashes.
As for reading data off the stack, it just uses different format strings that do different things.

Point is, sanitize user input.

you should always mention what platform is it for.

Edited.
Currently, my linux box doesn't have a network connection, so I can't download g++ to test it.
If anyone has run it on anything but Win XP, tell me and I'll update the post!

Even though it compiles on win, more recent win computers have Data Execution Prevention set by default which prevents a simple hack of it and requires something like a return-to-libc exploit.

Hmm, I should research more about that... But the client can always turn off Data Execution Prevention, so you shoulden't rely on it.

other than that, good job on educating HTS. <3

Thanks!

[KthProg]

Ah i see!
So if you're able to send it a format operator where it has no object to format, it will crash.
So an 'Object not set or with statement not declared' error.

Is that right?

Also how does that code access the stack?

[3vilp4wn]

So if you're able to send it a format operator where it has no object to format, it will crash.
So an 'Object not set or with statement not declared' error.

Yeah, that's basically how it works.
The error happens when it tries to read the variable and there is none, so it gets junk data from the stack instead of the variable it was looking for, usually resulting in a crash.

Also how does that code access the stack?

Remember how it's junk data from the stack? Well, all you need to do is format it in hex, and BAM, data.
we format it in hex using the %08x format string. That just says to retrieve parameters from the stack and display them as 8-digit hexadecimal numbers.

[KthProg]

Wow so you could identify this pretty easily.
You just run a program and check to see if it ever repeats your input back to you on its own, then you'd know that you can submit format strings to it as plain text.

Does this work in any language that has format strings?
Also what kinds of things could you learn from the stack data?

PS I am immune to this, I use string manipulation to format input, as formatters make code messy, so i've largely ignored them lol

[3vilp4wn]

Wow so you could identify this pretty easily.
You just run a program and check to see if it ever repeats your input back to you on its own, then you'd know that you can submit format strings to it as plain text.

Well, not always. But its worth trying stuff like \n and %s.

Does this work in any language that has format strings?

It should, but the syntax might be a bit different.

Also what kinds of things could you learn from the stack data?

Values of variables and other assorted cool shit. you can also use %n to overwrite values on the stack, essentially changing variables. But that's quite hard to do.

PS I am immune to this, I use string manipulation to format input, as formatters make code messy, so i've largely ignored them lol

That might also expose you to other threats, depending on what code you use.

[KthProg]

I wouldnt mind hearing what types of threats those could be.
Also thanks for your patience people dont often answer all of my questions lol.

[3vilp4wn]

I wouldnt mind hearing what types of threats those could be.

Post in the "Programming" thread with an example of your code and I'll help you. I can't say without looking at your code.

Also thanks for your patience people dont often answer all of my questions lol.

No problem. I can see you're just trying to learn.