format string exploits

Alright, if the first class of exploits we learned were about smashing, this one is about surgery.

Works like this:

When an innocent dev makes the mistake of putting your argument as the format string and not as an argument (e.g. printf("%s", yourstr)) then nonsense ensues.

I'm going to show this more through live demos but here is the damage:

You can leak a TON of addresses including the stack canary.
You can surgically write 1,2,4, or 8 bytes to any address you want... even multiple times in a row.

That first capability alone allows you to conquer PIE, ASLR, and Stack Protection.

The second one, well that is a whole new world that we will appreciate the rest of the course.

Write-What-Where

As we get to the cutting edge exploits we will do versions of this that aren't compiler protected or even warned.

Surgical payloads will be our primary way of exploiting binaries from now on.

It's a new way of thinking, if you could write a small payload that goes anywhere you want, what could allow you to take over?

The Mechanics

Part 1: reading from the stack (and first 6 registers)

OK send %p now send %6$p now send %55$p.

Imagine a healthy printf, it would go like this: printf("1: %p 2: %p 3: %p", arg1, arg2, arg3)

From printf's world the first argument is arg1, but we know that in x86 arg1 is officially the 2nd argument to the printf call, so it lives in rsi

Now printf let's us jump to the 6th (7th in x86) argument with %6$p which is no longer in a register but on the stack (it is the 7th argument to the function call by calling convention which has exhausted the 6 register slots).

Alright so that means we can read the 6 argument registers and then read everything on the stack that we want.

OK take the demo problem and identify the stack canary and read that!

Part 2: writing to an arbitrary location

Alright normally I would give you the mechanics of WHY this works but at the moment I'm just going to give you the quick and dirty reference for HOW to do it:

I want to add some practical tips:

There are two types of "payloads" here, the text you give to the fgets and the value you want to write to your target location
Find the stack offset (which argument is your input text). Trial and error is OK. Math is better (calculate distance, divide by 8, +/- 1).
If your payload is large you can't do it all at once (because you would need to print billions of spaces).
If you have to break up your target payload into many pieces your text input will get longer and longer, sometimes you only have so much room.
You can choose between writing 1 byte, 2 bytes, and 4 bytes with the write_size='byte' parameter.
The more you write at once the less stable, the less you write at once the longer the text payload.

Part 3: Understanding, in case you need it

The three versions of writing are %n, %hn, %hhn for 4, 2, 1 bytes respectively.

Addresses often have null bytes at the end, null bytes will ALWAYS stop a printf. So the idea is we will be putting addresses on the stack which we can write too and then filling the stack with buffers of spaces and occassionally targeting one of our provided addresses.

Thus we want to carefully put the addresses into places where we can predict the argument numbers which must be multiples of 8 bytes away.

In order to do that we can add dumb characters like as.