A easy Format String Vuln Example.

A easy Format String Vuln Example.

Post by 3vilp4wn on Wed Feb 27, 2013 8:03 pm
([msg=74249]see A easy Format String Vuln Example.[/msg])

Hey all,

I made a little program for you to try to hack, as a demonstration of format string vulns.

It's quite easy to crash, and getting data from the stack isn't that hard.

Here's the code:

Code: Select all
//This was only tested with Code::Blocks on Windows XP:

#include <stdio.h>

int main()
{
    char str [80];
    printf("Welcome to hackme #1!\n\n");
    printf("TESO's Format String vuln info may be useful.\nIt can be found at \"http://www.win.tue.nl/~aeb/linux/hh/formats-teso.html\".\n\nGood Luck!\n\n");
    printf("You have 2 goals:\n    *Crash The program.\n    *Fetch any data from the stack.\n\n");
    printf("Enter your name: ");
    scanf("%s", str);

    //I don't know about printf("Hello, %s.", str);
    printf("Hello, ");
    printf(str);
    printf(".");
    return 0;
}


And for those of you who want to cheat (select to view):

To crash the program:
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Or, buffer overflow style (92 a's!):
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

To get data from the stack [WIP]:
%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x


Have fun! :D
Last edited by 3vilp4wn on Thu Feb 28, 2013 7:22 pm, edited 1 time in total.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by KthProg on Wed Feb 27, 2013 9:37 pm
([msg=74251]see Re: A easy Format String Vuln Example.[/msg])

If it's not too much to ask, could you explain a little more about why this works?
I have a really basic understanding of 'stacks' in a program and pointers and things like that because I'm not very familiar with lower-level languages, so a better explanation would be awesome.
lol nice job on hiding the answer.
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by WallShadow on Wed Feb 27, 2013 9:57 pm
([msg=74253]see Re: A easy Format String Vuln Example.[/msg])

Cool, gonna go crack this in a second, though you should always mention what platform is it for. Even though it compiles on win, more recent win computers have Data Execution Prevention set by default which prevents a simple hack of it and requires something like a return-to-libc exploit. And as for ASLR, i have no clue, but there are probably some OS's that have that set by default as well.

other than that, good job on educating HTS. <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 595
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by 3vilp4wn on Thu Feb 28, 2013 7:21 pm
([msg=74286]see Re: A easy Format String Vuln Example.[/msg])

KthProg wrote:If it's not too much to ask, could you explain a little more about why this works?

Sure.

So C++ has built in things called "Format Strings" that you can put in strings. You may have seen some of them. The syntax is like so:
Code: Select all
printf("Hello, %s.", "KthProg")

That will replace "%s" with "KthProg".
If you notice, I *didn't* use that syntax in the program. That is A Bad Thing.
For example, look at these 2 programs. One crashes, one doesn't:

Bad:
Code: Select all
Printf("%s%s%s%s")


Good:
Code: Select all
Printf("%s", "%s%s%s%s")


The reason for that is that when you use the format string, it sanitizes the string coming in, making it useful for user input. In the bad example, it can't find what it's supposed to put in place of the "%s"s, so it crashes.
As for reading data off the stack, it just uses different format strings that do different things.

Point is, sanitize user input.


WallShadow wrote:you should always mention what platform is it for.

Edited.
Currently, my linux box doesn't have a network connection, so I can't download g++ to test it. :(
If anyone has run it on anything but Win XP, tell me and I'll update the post!

WallShadow wrote:Even though it compiles on win, more recent win computers have Data Execution Prevention set by default which prevents a simple hack of it and requires something like a return-to-libc exploit.

Hmm, I should research more about that... But the client can always turn off Data Execution Prevention, so you shoulden't rely on it.

WallShadow wrote:other than that, good job on educating HTS. <3

Thanks!
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by KthProg on Thu Feb 28, 2013 7:54 pm
([msg=74293]see Re: A easy Format String Vuln Example.[/msg])

Ah i see!
So if you're able to send it a format operator where it has no object to format, it will crash.
So an 'Object not set or with statement not declared' error.

Is that right?

Also how does that code access the stack?
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by 3vilp4wn on Thu Feb 28, 2013 8:24 pm
([msg=74296]see Re: A easy Format String Vuln Example.[/msg])

KthProg wrote:So if you're able to send it a format operator where it has no object to format, it will crash.
So an 'Object not set or with statement not declared' error.


Yeah, that's basically how it works.
The error happens when it tries to read the variable and there is none, so it gets junk data from the stack instead of the variable it was looking for, usually resulting in a crash.

KthProg wrote:Also how does that code access the stack?


Remember how it's junk data from the stack? Well, all you need to do is format it in hex, and BAM, data.
we format it in hex using the %08x format string. That just says to retrieve parameters from the stack and display them as 8-digit hexadecimal numbers.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by KthProg on Thu Feb 28, 2013 8:33 pm
([msg=74297]see Re: A easy Format String Vuln Example.[/msg])

Wow so you could identify this pretty easily.
You just run a program and check to see if it ever repeats your input back to you on its own, then you'd know that you can submit format strings to it as plain text.

Does this work in any language that has format strings?
Also what kinds of things could you learn from the stack data?

PS I am immune to this, I use string manipulation to format input, as formatters make code messy, so i've largely ignored them lol
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by 3vilp4wn on Thu Feb 28, 2013 8:57 pm
([msg=74300]see Re: A easy Format String Vuln Example.[/msg])

KthProg wrote:Wow so you could identify this pretty easily.
You just run a program and check to see if it ever repeats your input back to you on its own, then you'd know that you can submit format strings to it as plain text.

Well, not always. But its worth trying stuff like \n and %s.

KthProg wrote:Does this work in any language that has format strings?

It should, but the syntax might be a bit different.

KthProg wrote:Also what kinds of things could you learn from the stack data?

Values of variables and other assorted cool shit. you can also use %n to overwrite values on the stack, essentially changing variables. But that's quite hard to do.

KthProg wrote:PS I am immune to this, I use string manipulation to format input, as formatters make code messy, so i've largely ignored them lol

That might also expose you to other threats, depending on what code you use.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by KthProg on Thu Feb 28, 2013 9:06 pm
([msg=74303]see Re: A easy Format String Vuln Example.[/msg])

I wouldnt mind hearing what types of threats those could be.
Also thanks for your patience people dont often answer all of my questions lol.
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: A easy Format String Vuln Example.

Post by 3vilp4wn on Thu Feb 28, 2013 9:10 pm
([msg=74304]see Re: A easy Format String Vuln Example.[/msg])

KthProg wrote:I wouldnt mind hearing what types of threats those could be.

Post in the "Programming" thread with an example of your code and I'll help you. I can't say without looking at your code.

KthProg wrote:Also thanks for your patience people dont often answer all of my questions lol.

No problem. I can see you're just trying to learn.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Next

Return to C and C++

Who is online

Users browsing this forum: No registered users and 0 guests