Tuesday, 12 December 2017

Reading Sensitive Information from Memory by exploiting Format String Vulnerability

Today I was trying to have some fun with Format String Vulnerability

As defined by OWASP

"The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system."

So this code below is an example of how we can read a memory content by just using a format to display string.

As i was using 32 bit system the expected data was there is little endian format.

Here is the output from the code. So are you able to spot the secret code ?

If not then let me help you..

0x417c5230 0x43424241 0x444443

As i said its stored in Little Endian Format, the code is layout in memory in this HEX format

0x417c5230   - 41 - A
0x43424241   - 43424241 - CBBA
0x444443       - 444443     - DDC

Now the question is why there is a bit missing ? Well I think maybe its because of the String is terminated with a null character, and hence its not there.

So now what ? That was just a hardcoded string. Nothing so serious about it. So to make it serious we need to control the format string.

So here is the modified code that allows users to enter a string.

So when we will run the code we will enter this as the input

Output




So we achieve success again by exploiting the bug using the user input:)
0x41754230 0x43424241 0x444443