Playing God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016

Transcription

1 Playing God With Format String Attacks Bsides Jax 2016 Travis Phillips 10/22/2016

2 So Why This Talk? Been experimenting with them over the last year Found them simple in theory; difficult in practice. Found them to be quite powerful! Figured I would give a high level view. Show a few examples of it in action. Release a tool to help exploit them.

3 So What is a Format String? It is a string with formatter characters in it that certain formatter functions will work with manipulate. The most common one you will see is printf(), but others might be sprintf, snprintf, kprintf

4 Example Program with printf()

5 Printf() Usage

6 Example Program with printf()

7 Running the Example Program

8 So What Causes A Format String Attack? Going back to our example, The first parameter was a format string where you can put format character codes.

9 So What Causes A Format String Attack? A format string attack occurs when that format string parameter is passed user controlled data. This enables an attacker to place formatter characters and the function will use them assuming values on the stack where all parameters as well.

10 Moral of the Story... DON'T PUT USER CONTROLLED DATA HERE!

11 What's the Worst That Can Happen? Side effects may Include: Reading data off the stack. Leaked stack pointers, return addresses, stack canaries, environment variable pointers. Say farewell to your ASLR and stack protection. Reading "string data" from pointers on the stack. Note: string data is data that stops at a null byte Read binary data from any valid address on the stack. Read those environment variables.

12 What's the Worst That Can Happen? Side effects may Include: Reading arbitrary data from user specified memory addresses. In some cases, you can dump a the binary and libraries. Find ROP Gadgets made easy! Arbitrary writing of data to user specified memory addresses. In some cases, RCE is possible!!! You should always treat it as such.

13 In Some Cases? Yes, in some case. It's like a XSS Exploit The level of danger is contextual to how and where it happens. I will cover various exploit conditions and what they can yield.

14 Before We Begin... Let's Cover some basic formatters: %d print value as a number. %x print value as a hexadecimal number %s treat value as a pointer and print the string at that address.

15 Before We Begin... Widths can be specified between the % and letter. Examples with 0xdeadbeef: %x: yields [deadbeef] %10x: yields [ deadbeef] It will pad with spaces or a zero you specify at the start of it. Example with 0xdeadbeef: %012x: yields [0000deadbeef]

16 Example: printfvuln.c

17 Example: printfvuln.c

18 Fun with Parameters! Some c libs format strings support parameters! Parameters are used by putting a number followed by a dollar sign ($) between the % and the formatter code Example: %6$x would grab the 6th DWORD on the stack. These can be padded with zeros in front. More on this in next example.

19 Example: printfvuln.c - Looped! Dumping a stack by hand is a pain, and we are lazy... We can: Dump the stack hex values a loop. Dump the strings using a loop to determine interesting pointers. Remember the zero padding on parameters? Always try to keep the format string the same length if you want to keep the stack consistent.

20 Loop Dumping Hex for i in { }; do DATA=$(./printfVuln % $i\$x); echo -e " [$i] $DATA"; done

21 Loop Dumping Strings for i in { }; do DATA=$(./printfVuln % $i\$s); echo -e " [$i] $DATA"; done

22 Linking Things Together Environmental Variables can be found and and their addresses located using this. ASLR can be seen...

23 But ASLR Isn't A Deal Breaker It's only 12 bits of randomness in this case...

24 In a game of skill, brute force sometimes wins too... Defeating ASLR?

25 PoC I=$(expr 0 + 0); DATA="deadbeef"; while [ $DATA!= "ffb12fdc" ]; do DATA=$ (./printfvuln %094\$x); i=$(expr $i + 1); echo -e "$i => $DATA"; done i=$(expr 0 + 0); DATA="deadbeef"; while [ $DATA!= "ffb12fdc" ]; do DATA=$ (./printfvuln %094\$x); i=$(expr $i + 1); done; echo -e "\033[32;1m [*] Found in $i...\033[0m"

26 PoC

27 Reading from Random Addresses We saw our string on the stack. We can access those as pointers, via parameters. Super easy if our string is on the stack. just make sure the address will line up with a stack DWORD.

28 Example: printfstackbased

29 Example: printfstackbased First find where your string starts on the stack... Our's starts at parameter 4 Remember: A = 0x41, B = 0x42, C = 0x43, D = 0x44

30 Example: printfstackbased Next, Figure out what you want to read, I will opt for GOT addresses. I will opt for GOT of printf and memset.

31 Example: printfstackbased Place those addresses in the format string and dump them as strings. DATA=$(./printfStackBased $(perl -e 'print "\x98\x97\x04\x08\xa4\x97\x04\x08_%4\$s_ %5\$s";')); PRINTF=$(echo $DATA cut -d _ -f 2 cut -b -4); MEMSET=$(echo $DATA cut -d _ -f 3 cut -b -4); echo $PRINTF$MEMSET xxd -i

32 Example: printfstackbased Two pointers to libc functions dumped... Libc-database to determine libc library. You can now calculate the address to any other libc functions such as read(), system(), or mprotect().

33 The Fun Part: Writing Data! An excellent form of memory corruption! What is known as a Write Anything Anywhere primative. Stack canaries usually don't matter. Side step them entirely. Overwrite the GOT entry for stack_chk_fail() to your shellcode or trigger for your ROP chain.

34 Introducing the %n Formatter Used to write the number of bytes written by the format string function to a memory address. The address written to can be specified by a parameter. the size of this is usually 4 bytes, but can be limited. To two bytes with %hn. Or one byte with %hhn. These overflow back to zero.

35 Example: backdoor.c

36 How Do We Control What Gets Written? The %n parameter prints the number of bytes written. As shown earlier we can use a size parameter to control the size of the printed value. If you can calculate the number of bytes written, you can control the data written. Each write counts the bytes total, not per each write.

37 Example: Backdoor.c Find the parameter to our string. In our case it is at 4 again.

38 Example: Backdoor.c We know where we want to write, the address is given to us. If we just use a %n we can see 5 bytes. Number of bytes printed (4 byte address + 1 byte for the _, %n won't print anything)

39 Example: Backdoor.c We can include other formatters with size specifiers to pad the number of bytes written.

40 To calculate by hand. This Is A Pain... So I made a tool for this when it is stack based.

41 format_string_generator.py

42 format_string_generator.py

43 format_string_generator.py

44 And It Works Pretty Well...

45 Example: Backdoor.c No DEP Without DEP enabled, Shellcode execution is easy to do with our tool. Write a payload to somewhere in BSS section. Overwrite a function call GOT that gets triggered after the bug. In this case, printf() gets called again to print information about test, we can hijack that.

46 Example: Backdoor.c No DEP What you need: Exploit: Find the GOT address for printf() A place to write your payload such as.bss Write your payload. Overwrite the GOT to point your payload. Enjoy the hijacked execution flow.

47 Example: Backdoor.c No DEP Finding GOT Address

48 Example: Backdoor.c No DEP Find palace for payload

49 Example: Backdoor.c No DEP Create Exploit using tool

50 Example: Backdoor.c No DEP Run it! {Snip Snip}

51 That Was Cool! But setup and not likely real world... However use your imagination, this could alter data structures that may control your user permissions.

52 So About That RCE With DEP? The best place in my opinion is when you: Can keep running the exploit over and over. Are at least 3 functions deep. Example: main() => SetSocket() => HandleClient()

53 Why 3 Functions Deep? Stack arrangement is awesome! You have an EBP that points to another EBP Modify to point to addresses on the stack. Just after those would be return addresses.

54 Why Keep Running It? Modify values on the stack and use them on the next run. This let's you solve null byte issues. Allows several Memory leaks. Allows launching exploit in stages. Leak stack & GOT pointers. Find addresses of other libc functions like mprotect() or system(). Build your payload or ROP chain and write it. Trigger your payload or ROP chain.

55 What If We Can Only Run It Once? Attempt an exploit that enables more than one run or pulling external data in. Brute force the addresses and skip the leaks.

56 Example: CSAW Contacts Decent compiler security ASLR + DEP + Stack canary Had a printf bug Also from other write ups, had a heap overflow. Wasn't really needed, printf worked fine.

57 Example: CSAW Contacts Running

58 Example: CSAW Contacts The printf Bug

59 Example: CSAW Contacts The printf Bug

60 Building the Exploit Foundation Interaction Functions Create, Delete, and Display Contacts Pointer Manipulation Functions Get and set stack pointers using parameters and EBPs

61 Building the Exploit Foundation Leaker Function for pwntools DynELF() class Just take an address, write it to the stack, then access it as a string. Write-Anything-Anywhere primative Function. Since we have DEP present we will probably want to setup a rop chain.

62 Building a system(/bin/bash) ROP exploit. Use the leaker function to leak system(). Write /bin/bash to.bss section Write a rop chain to call system() with the /bin/bash string over the existing stack return address. Trigger it by calling the exit menu function.

63 Building a Raw Payload Exploit. Leak address of read() and mprotect(). Write a ropchain: Mprotect.bss as RWX Read payload into.bss RET to payload Trigger the ROP chain. Send the payload. Watch the fireworks

64 Downloads Slides, Source Code, Challenge Binary, and exploit scripts will be on wiki.jaxhax.org Download 'em and play around.

65 Recap Format string bugs shouldn't be taken lightly. reading, writing, and RCE are all pretty serious. Null bytes in address can be a pain in some cases. ASLR can sometimes be a hassle, but bruteforce sometimes works.

66 Recap DEP is usually the bigger challenge. If its not enabled, exploitation is a cake walk, so always check! Homework: overthewire.org => behemoth3 It's a format string bug. Everything here is what you need to know. Now go pwn it!

67 Q&A Time!? Travis Phillips Website: wiki.jaxhax.org