Exploitation of formatting string vulnerabilities on windows

Author:Abysssec

Translator:Riusksk(Quan Ge:Http://riusksk.blogbus.com)

 

The real beneficiaries of this article should be those who have the basis of the fixed assembly language and have the classic stack overflow knowledge, so that this Article can lead readers inWindowsWrite your own formatting String Vulnerability exploitation program under the platform. This article mainly describes various key exploitation technologies. Many people may have written articles about the formatting String Vulnerability before the release of this article, but their articles are generally relatively boring and basic. However, we do not dare to say that this article is excellent and comprehensive, but we will try to make it as much as possible.

Software vulnerabilities such as formatting strings were initially found in1999Year or so, but in2000Years ago, it was regarded as harmless and useful. Formatting string attacks can crash the program or execute malicious code. This problem is caused by the fact that user input is not filtered.CParameters used when the function is formatting, as shown in figurePrintf(). Malicious users can use %SAnd %XOutput data from the stack or other memory locations. You can also use the format character %NWrite arbitrary data to any address, CooperationPrintf() Functions and other similar functions can write formatted bytes to the address stored on the stack. A classicExploitIs to mix these technologies and then use maliciousShellcodeTo overwrite the function address of a linked library or the return address on the stack. Some formatting parameters are mainly used to control the number of output bytes, while% XIt is mainly used to pop up bytes from the stack until the start position of the formatted string itself. The starting part of the forged formatted string should be overwritten by the malicious code address to be executed.% NFormat. Therefore, you need to understand what is affected by such vulnerabilities.PERLAndC/C ++Software,Printf ()Other functions, such:

●Printf ()

●Snprintf ()

●Vprintf ()

●Syslog ()

●......

In addition to executing malicious code, the formatting string vulnerability can also read some data from the vulnerability program, such as passwords and other important information. Below we writeCCode analysis to help you understand and digest it.

# Include <stdio. h>

# Include <string. h>

Int main (int argc, char * argv [])

{

Int x, y, z;

X = 10;

Y = 20;

Z = y-x;

Print ("the result is: % d", z); // % d using correct format so code is secure

}

 

# Include <stdio. h>

# Include <string. h>

Void parser (char * string)

{

Char buff [256];

Memset (buff, 0, sizeof (buff ));

Strncpy (buff, string, sizeof (buff)-1 );

Printf (buff); // here is format string vulnerability

}

Int main (int argc, char * argv [])

{