A simple Format String exploit example - bin 0x11

LiveOverflow · Beginner ·🔐 Cybersecurity ·10y ago

Key Takeaways

This video teaches how to exploit a simple Format String vulnerability using %n

Full Transcript

[Music] in this episode we will have a look at format level one from explored exercises Proto store this class of vulnerability is weird but I was mind-blowing to me when I first saw it so first of all what are forat strings probably the most known function in C is print F printf prints formatted data to SD out in my programming and C video I've used print F to print a name that a user can supply the parameters of print f are the following the first parameter is the so-call format string in that early video that was KN knock and the percentage s and as the second parameter we used arv1 which contains a string so print F read the format string and found the percentage s which means that at this position belongs a string so it takes the first supplied variable in this case AR be one and places a string there format string supports a lot of different types of variables for example percentage D which is assigned decimal integer or percentage X to display a number in HEX and you can do even more than that for example if you specify a number between the percentage and the specifier you can tell what size it should be petted to and you can for example preent a zero to that number to bet the results with zero format string functions like that exist also in other l languages for example you can use pretty much the same features in Python print a former string with percentage and then the variables afterwards with another percentage sign or better use the format function which has a slightly different syntax but in the end it's all the same and now you wonder how the hell can something that just prints text be exploited so let's have a look at the source code of format level one main calls the function W with the string from rv1 and that string is placed in print F and then we have a global variable Target which is checked if we got modified so pretty similar to some earlier stack buffer overflow challenges we need to manipulate this value but how can we manipulate this variable in memory with printf well let's do this step by step let's first execute the program as you can see it will simply print whatever we Supply in Arc V1 that looks simple but there is one small thing you should notice which parameter of print F does the attacker control it's not the second parameter like in the programming and C video it's the first parameter the forat string can we just use some percentage syntax let's try let's enter a format string test percentage D oh damn it printed a number weird let's add some more W more numbers numers let's print them as hex instead of sign decimal numbers that looks familiar remember the videos where we were looking at the stack do those values starting with b remind you of something those were stack addresses so what are we printing here if you have watched the previous episode about reversing C you know how functions are being called especially in 32 bit the parameters are simply placed on the stack and then the function is called so if you would use print if normally your variables that you want to print would be placed on the stick well now there there are no variables being placed on the stick so what values are are we reading obviously we are reading whatever print F can find on the stick so any value on the stick so what can you do with it first of all it's a Memory leak vulnerability you can leak all kinds of stuff from the sck imagine you had a program with aslr meaning that the location of the stack in memory is random and you don't know where it is but you need the address for buffer overflow to jump to Shell Code with this here you can leak values from the process memory most specifically from the stack and that's possibly leaking stack addresses which then you can use in a second step for buffer overflow in a recent CTF which I played there was an exploitable challenge where I use the format stream vulnerability to leak the stack Canary I will do a video about exploit mitigations at another point but the stack Canary is a random value which protects from buff overflows if I can get this number I can defeat the protection which I did so at first leaking some weird values from a process memory doesn't S like doesn't sound like much but there are many examples you can come up with where disclosing some memory could help exploiting a Target after all bugs like heart bleed were just leaking some memory and it was awful okay but in our particular case how can we use that to modify a value at the moment it only looks like we can leak values from the stack let's have a look at the print F man page Man 3 printf and let's scroll to the well-known bux section it says here if something comes from untrusted user input it may contain percentage n causing the print F call to write to memory and creating a security hall and a little bit further up the specifier N is explained as the number of characters written so far is stored in the integer indicated by the in pointer or variant pointer argument so percentage n writes the amount of characters that were already printed into a variable and a variable is just some area in memory and we know that to specify where the area is we need to use a pointer if we just look at the sampler code a pointer is simply an address so that printer knows where to write the result so if you were to write The Ledger Z program with percentage n you would place a pointer to an integer variable as a parameter to print F but in assembler this is just simply putting an address of the variable variable on the sck this means that whatever value is on the deack is used as a location where print F will write to now you can basically solve this challenge alone we need to write a value in Target so let's use object D minus t to find all symbols from the binary and here's the address of the target variable now when we want to print F to write something at this location we have to find this address on the deck let's start investigating I will use python in a on line script or inline script directly from the command line via minus C to help me with printing a test string for example 10 hex numbers hm maybe I want to separate them doesn't look like the addresses is here maybe if we print more values from this deck nope not here maybe more wait a minute what is that weird pattern from the values of the those hex values it could beesy hex 20 is a space after all with python we can quickly convert those hex values to S characters and War percentage X that looks like our string that we have supplied let's test this with um adding some Capital A's because we can recog ize those SK values easily now we just have to look for for1 for1 for1 for1 and indeed there are our A's and it makes sense because the program arguments are simply stored on a STI like the environment variables and other stuff cool this means we can simply place the address from the Target on the stack ourselves by adding it to our string so get the address again for Target and then we can add the address in our string maybe wrap it in some A's and B's so we can find it in the output easily oh yes there it is cool so in theory we just have to place the percentage X that was printing this address with percentage n to instead right to this location to do this we first have to change our format string and making the number of x's we print lower so then we can use a percentage n to write to that number and now I'm start fiddling around with it trying to get the right number and if you pay attention to looking for the A's and B's again that are wrapping the address you see that it's not perfectly aligned anymore so it's some trial and eror figuring out how many X's we need so that the next X that I append will hit the address exactly so I can replace that with an N you could do it more intelligently but I will just figure it out with try and error you have to be careful because uh remember from our previous videos where this deck was shifting around around because of stuff like environment variables the different length program argument that we Supply moves around the stack as well so you might have to fiddle around quite a bit until you just get it right okay that took a bit but looks cool the last X seems to reference our address now and when we place the X with the N to write to that address we modify the Target and you can imagine that if we can write anywhere in memory we could overwrite things to redirect code execution as well well so that will be the case in later levels just a small tip uh when you work with for string exploits it makes sense to keep your ATT attack string always the same length then you don't have to fiddle around much um just use Python script that always extends or cuts the string to at like 500 characters or something and then you have enough space to play around and a deck doesn't move around [Music] much

Original Description

Solving format1 from exploit-exercises.com with a simple Format String vulnerability, exploited with %n. stack layout: https://www.win.tue.nl/~aeb/linux/hh/stack-layout.html format1: https://exploit.education/protostar/format-one/ CTF format string exploit: https://gist.github.com/LiveOverflow/937b659c9a37be099ddd -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm. #BinaryExploitation #FormatString
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 25 of 60

1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
6 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
17 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
29 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
46 The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
54 Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

Related AI Lessons

The Billion Dollar Business of Making You Forget Passwords
Learn how the internet is shifting away from password-based security and what this means for cybersecurity, as companies invest billions in alternative authentication methods
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence against you by building a secure local solution using a Raspberry Pi and external chip
Medium · Cybersecurity
Aikido buys Root to patch open source in place, without the upgrade dance
Aikido Security acquires Root to patch open source vulnerabilities in-place, streamlining dependency management
Dev.to · Leo
5G Security: Why Most Operators Are Underprepared for the Threats Standalone Architecture Introduces
Learn why 5G standalone architecture introduces new security threats and how operators can prepare for them
Dev.to · 5gwolrdpro
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →