Format String Attacks (Reposted from my 1st year blog)

Final Post

April 9th, 2010

My white paper was finished last week, and this is just a final conclusion to my project. Currently i am trying to further knowledge of format strings, and working on ways of manipulating format strings. I was looking at a way to work out an address of shellcode and realised that it would be easier if it was always at the same location. In this respect i am working on writing shellcode to an environment variable, and the plan is to overwrite a destructor and point it to the environment variable when the shellcode is located; so far i have managed to write 2 bytes of shellcode. The procedure is complicated, though im gonna stick with it because im determined to make it work.


March 18th, 2010

just a note to say that im roughly about 80% of my way through the white paper. Ive done all the major things and now im onto talking about what can be done with format strings. Thats about it realli

White Paper

March 11th, 2010

This comment is not so much more than a note to say im on to my white paper. Though there is plenty more to blog about i kinda feel that my time would be better spent writing up the paper. After where i left off last time i moved into multple writing a value into a variable. The variable being i, which is a enviroment variable. thats all im gonna put down for this post.

Perl and Shellcode; my favorite flavour!

February 25th, 2010

As ive meantioned before the white paper will be 10 times for specific on everything ive done and learned.

So we are at the point of overwritting i, so we do some stack exploration

Remember me meantioning AAAA , %x and %s before? lol


this prints out some like AAAA [random crap with each % being a byte] 41414141 [more random crap]

obiously is not quite like this, this is for simplicity. so now we know how many bytes into stack we are (cant remember if i meantioned but when printf gets more arguments than it should it starts printing bits of the stack which is what we are seeing.) and we can now limit our %x’s string to the ammount we require and change our last %x into %s so that we can see what its pointing at, i.e. (character string pointed to by the argument.) but that dosent realli do much 2bh (unless u find a program which dosen clear a variable that contains say, a password? :P )  what is much more useful to us is %n. i meantioned it before, and it allows us to write directly to stack addresses. so, we have the address of i, for me it was “\x2c\xa0\x04\x08″ are we replace AAAA (a byte) with our shellcode address (also a byte).

it would look like this (using Perl to generate it):

`perl -e print’ “\x2c\xa0\x04\x08_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%n”‘`

printf() has printed 67, and as a result our variable is now 67 :-)

so thats the basics down, we know on a basic level how to exploit using format strings, gets better than this though ;P


i found i 🙂

February 25th, 2010

Ok so i got i, and that rocked. i think the original value of i was 42 (meaning of life lol). but what if we dont want the value to be 42 ;P. well we can use Perl along with… infact i cant even remember if ive posted the information needed for this part… ok first of all quick recap.

printf(char*, …);    –    standard fromat for printf, each variable has a corresponding token to indicate how many variables are being passed and there formats. exploitation works around several factors, first human error, printf(variable) and printf( token, variable) are different, with the second being the correct and safe way of calling printf(). Second is misuse of the tokens. the ones ive been using for explotation are %x; just for printing the stack in hex (means i can locate my four A’s, ill explain this beter in the white paper, which in hex is 41414141 in hex. if u used AAAB instead it would be printed 42414141 because its the stack and prints backwards), %s  prints the string that your address is pointing to. and the most dangerous %n which is designed to print out the number of bytes that printf()    (along with other functions i assume) has output to the argument you are on in the stack which is considered to be a pointer to an integer and in retrospect means that we can write to the stack.

right think im just bout back on track…

so Perl is a tet editing program, it incorporates some of the most popular functions of other languages, including printf() from the C/C++ library. Bet this is sounding ominous lol…


Havent blogged in a bit

February 25th, 2010

Since this is madatory i guess i should yapper on a little more :-) . well ive been dead busy recently, and ive been taking screenshots and stuff for the whitepaper, though a whitepaper kinda implys no pictures… i have no idea lol. Anyways… long story short had some good breakthroughs where i was kinda stuck, first one is i figured out where i get shellcode from. basically u take your assembly programs and through it into gdb and debug it, it gives u hex command which are the equivalent of your assembly, and u add, say in th case of…





it becomes /xc8/x4b/x7a/x0d

so that was pretti handy :-)

on the note of the shellcode i managed to find the address of that variable i want to changed and print its address on the stack. i cant remember the exact address but it gave me a 7 hex digit address (building up to a interesting point here lol)

say for example in gdb i type “print &i” this would print the location of i


c7d83s9  –  keeping in mind that the stack is in reverse i thought i would go to /xc7/xd8/x3s/x90

/x90 however is wrong, and should be x09 as the extra 0 bit is added to the left has side of the 7 bit number.                       more comming but this blog is getting messy lol


Where to start

February 13th, 2010

Well from what i can gather formt string attacks are somewhat obsolete nowaday, however i like that they demonstrate how bad programming can be exploited. So ive started to learn C++ as what ive been reading all refer’s to C and C++, suggesting the C# cant be exploited in this way. Ether way C# and C++ syntax arent very different so using the programming notes from one of the CGAD modules ive went and learned everthing they have done in the first simester in one night (go caffine lol.) I now have the ability to move forward with my project, and have a couple of handy books to help me out. Buffer overflow attacks seems like its going to be the most useful lol


First Comments

February 13th, 2010

OK, well first of all if anyone reading this dosent know, a format string attack is a type of buffer overflow attack. Admittedly its a variation i have only just discovered, and did so while reading a book called hacking exposed, where there was a very small section on it. i researched it a little bit, and it appears that the exploit is little know about in comparison to its cousins suck as the stack overflow or heap corruption exploits. It was discovered in the year 2000 by a University (if i remember right it was Washington Uni,) and overnight its discovery rendered thousands of systems on the internet vulnerable. It basicalli exploits bad programming and the fact that in C and C++ you can pass in a variable ammount of arguments into a printf function, but the string never checks how many arguments it is meant to be receiving.

So thats the basic background, onto the work…



About 1337hound

2nd Year Ethical Hacker at the University Of Abertay Dundee. President of Abertay's Ethical Hacking Society. Members of Abertay's Open Society. Member of TAYLUG. View all posts by 1337hound

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: