How to exploit Format String Vulnerabilities - Security Boulevard

How to exploit Format String Vulnerabilities

Introduction

In the previous articles, we discussed printing functions, format strings and format string vulnerabilities. This article provides an overview of how Format String vulnerabilities can be exploited. In this article, we will begin by solving a simple challenge to leak a secret from memory. In the next article, we will discuss another example, where we will chain a format string vulnerability and Buffer Overflow vulnerability to create better impact. 

How can format string vulnerabilities be exploited?

As mentioned in the previous article, following are some of the attacks possible using Format String vulnerabilities.

  • Leaking secrets
  • Denial of Service
  • Leaking memory addresses
  • Overwriting memory addresses 

In this article, let us discuss the first two items.

Leaking secrets from stack

Following is the vulnerable program we will use to understand the approach to exploit a simple format string vulnerability to be able to read data from memory.

#include <stdio.h>

int main(int argc, char *argv[]){

    char *secret = “p@ssw0rD”;

    printf(argv[1]);

}

 

As we can notice, the program is vulnerable to format string vulnerability since the printf function receives user input and prints it. It should be noted that there is no format specifier used in the printf function thus leaving the program vulnerable.

Let us run the program using gdb, check the disassembly of the main function and set up a breakpoint at the address of printf call.

$ gdb ./vulnerable

gef➤  disass main

Dump of assembler code for function main:

   0x0000000000401136 <+0>: endbr64 

   0x000000000040113a <+4>: push   rbp

   0x000000000040113b <+5>: mov    rbp,rsp

   0x000000000040113e <+8>: sub    rsp,0x20

   0x0000000000401142 <+12>: mov    DWORD PTR [rbp-0x14],edi

   0x0000000000401145 <+15>: mov    QWORD PTR [rbp-0x20],rsi

   0x0000000000401149 <+19>: lea    rax,[rip+0xeb4]        # 0x402004

   0x0000000000401150 <+26>: mov    QWORD PTR [rbp-0x8],rax

   0x0000000000401154 <+30>: mov    rax,QWORD (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ni9rN5EqcW0/