This blog post will teach you how to exploit the format string vulnerability.
Prerequisites :
Basic knowledge about format string vulnerability
Experience with gdb debugger tool
Basic understanding of C programming
Goal :
Get the program to print “You entered the right parameter”
Program :
#include
#include
int flag;
int main(int argc, char **argv)
{
char password[255];
flag = 0;
strncpy(password, argv[1], 255);
printf("\nEntered password is : ");
printf(password);
printf("\n");
if(flag)
{
printf("You entered right parameter\n");
}
else
{
printf("wrong input\n");
}
return 0;
}
We will deal with only the executable file and NOT the source code.
Disabling all counter mechanisms against buffer overflow attack and format string
exploitation :
Disabling address randomization using the following command:
#sysctl -w kernel.randomize_va_space=0
Disabling stack guard
# gcc -fno-stack-protector -o example example.c
Disabling NX protection
# gcc -z execstack -fno-stack-protector -o example example.c
To get the output “ You entered right parameter “ , we need to change the value of the
global variable 'flag'. In the program, the value is not changed anywhere and so the '
if(flag) ' condition always returns false.
Our task is to find the address of variable flag and rewrite the content with some value
other than 0.
By exploiting the format string vulnerability of ' printf ', we can output the contents of
address locations in memory.
Prerequisites :
Basic knowledge about format string vulnerability
Experience with gdb debugger tool
Basic understanding of C programming
Goal :
Get the program to print “You entered the right parameter”
Program :
#include
#include
int flag;
int main(int argc, char **argv)
{
char password[255];
flag = 0;
strncpy(password, argv[1], 255);
printf("\nEntered password is : ");
printf(password);
printf("\n");
if(flag)
{
printf("You entered right parameter\n");
}
else
{
printf("wrong input\n");
}
return 0;
}
We will deal with only the executable file and NOT the source code.
Disabling all counter mechanisms against buffer overflow attack and format string
exploitation :
Disabling address randomization using the following command:
#sysctl -w kernel.randomize_va_space=0
Disabling stack guard
# gcc -fno-stack-protector -o example example.c
Disabling NX protection
# gcc -z execstack -fno-stack-protector -o example example.c
To get the output “ You entered right parameter “ , we need to change the value of the
global variable 'flag'. In the program, the value is not changed anywhere and so the '
if(flag) ' condition always returns false.
Our task is to find the address of variable flag and rewrite the content with some value
other than 0.
By exploiting the format string vulnerability of ' printf ', we can output the contents of
address locations in memory.
We input some characters (AAAA here )and out put the contents in memory. See the
values 41414141 which is correspondent to AAAA. Thus we now know an address location
and we can overwrite the content there.
We want to overwrite the contents at the address location of ' flag '. In the following
screenshot ,observe that we are trying to overwrite AAAA but since it is not a valid address
we get segmentation fault.
Using gdb we can find out the address of 'flag' and we will put that address location in
AAAA's position. (Refer : Wiki article) So the content at this particular address will be overwritten by a positive
value (here the number of characters written ,ie 7). As a result ' if (flag) ' condition
becomes true and the required output is obtained.
A python script is used to input the address to avoid accepting the input as string.
Hope this article helps .!