Format String Vulnerability Ubuntu Lab Report-KSU .

Format String Vulnerability Lab Task1: The Vulnerable Program I launch 2 VM, one is SEEDUBUNTU and the other one is SEEDUBUTNTU CLONE. After I run “sudo ./server” on server side and run “nc -u 9090” on client side, I can type messages on client side and the server program prints the same content typed by me. Figure 1-1 Task2: Understanding the Layout of the Stack As shown in fig 2-3, I firstly type “aaaaaaa..%x…%x” to observe the output of this format string, then I find that there exists 6161616161… in server side, I also find the content includes numbers like 3, 10, addresses like 80….., b7… and bf….., because of the address of msg(begins with bf), I guess the address begins with bf…, then I construct format string to test the bf…. addresses. After many tests, I get the output shown in fig2-2, meaning that bffff0e0 is the buffer address, but there are two bffff0e0. However, the previous one is followed by 3, while the second one is followed by 80… which seems like an address, so I think the second one is the msg. The address of msg is 0xbffff0a0, so the return address of myprintf() is 0xbffff09c. There are 8 %.x between format string and msg, so the address of format string is 0xbffff0a0-32 = 0xbffff080, the address of buf is 0xbffff0e0. The distance between ➊ and ➌ is 96. Figure 2-1 Figure 2-2 Figure 2-3 Task 3: Crash the Program I type some %s on client side shown in fig 3-1, and then the server crushes shown in fig 3-2. Figure 3-1 Figure 3-2 Task4.a: Stack Data The figures blow is as same as figures used in task2, so I use 24 %x to get the first four bytes of my input. Figure 4-1 Task4.b: Heap Data I firstly build the format string as shown in fig4-4, I put the address of secret in stack, and then add the valist to find the address of secret, then I use %s to print the content. So as shown in fig4-3, I get the content of secret ”A secret message”. Figure 4-3 Figure 4-4 Task5.a: Change the value to a different value As shown in fig 5-2, I build the format string including the address of target, then the value of target is changed in fig 5-1. Figure 5-1 Figure 5-2 Task5.b: Change the value to 0x500 After calculating, I build the format string shown in fig 5-4, then the value of target is changed to 0x00000500. Figure 5-3 Figure 5-4 Task5.c: Chang the value to 0xFF990000 I divided 0xff990000 into two parts, one part is for 0xff99 and another part is for 0x0000. So I calculate the remaining %.Zx, z=65222, then I use %hn to modify the memory of address, then in 0x0904a042, the value is 0xff99, after that, I use %.65637x to get zero because of overflowing. So, as shown in fig 5-5, the target changes to 0xff990000. Figure 5-5 Figure 5-6 Task6: Inject Malicious Code into the Server Program As is shown in fig 6-3, I firstly make sure the address is right, so I use input_target that aims at modifying target to be the address of the malicious code(I set 0xbffff1c0 as the address of the malicious code), then I use the format string shown in fig 6-3 to launch my attack, I divide the address of malicious code into two parts to write into the return address of myprintf(). After that, I check the existence of myfile. It is clear that myfile is deleted because of my attack shown in fig 6-2. The reason I use x90: Use NOP can add the entry point of my injected code so that I can use the address which is not exact. NOP instruction does not do anything meaningful, other than advancing point of my code, as long as I can jump to one of the NOP instructions, I can finally reach the malicious code. Figure 6-1 Figure 6-2 Figure 6-3 Malicious code NOP NOP ..NOP 0XBFFFF1C0 Figure 6-4 the location of malicious code stored Task7: Getting a Reverse Shell I modified the format string from task6, as shown in fig 7-2, the ip address of client is included in the format string. Then I launch the TCP server on client, and launch the attack to server. The attacking result is shown in fig7-2, it depicts that I get the reverse Shell. Figure 7-1 Figure 7-2 Task8: Fixing the Problem The warning aims at telling people that when using printf, the format string is better be a string literal and not a variable. In the server.c code, the printf(msg); causes the vulnerable of this program, so I modified the code to printf(“%s”, msg); As is shown in fig 8-1, it is clear that there is no gcc compiler warning. I launch the attack as doing in task7, as shown in fig 7-2, I don’t get the reverse shell so my attack fails. Figure 8-1 Figure 7-2