格式化字符串攻击 [英] Format String Attack
问题描述
我有一个小的C程序可供利用.而且我也了解要执行攻击的逻辑.但是,尽我所能,它对我不起作用.
I have a small C program to be exploited. And I also understood the logic behind the attack to be performed. However, as much as I try, it is just not working for me.
#include <stdio.h>
#include <stdlib.h>
#define SECRET1 0x44
#define SECRET2 0x55
int main(int argc, char *argv[]) {
char user_input[100];
int *secret;
int int_input;
int a, b, c, d; /* other variables, not used here.*/
/* The secret value is stored on the heap */
secret = (int *) malloc(2*sizeof(int));
/* getting the secret */
secret[0] = SECRET1; secret[1] = SECRET2;
printf("Please enter a decimal integer\n");
scanf("%d", &int_input); /* getting an input from user */
printf("Please enter a string\n");
scanf("%s", user_input); /* getting a string from user */
printf(user_input);
printf("\n");
/* Verify whether your attack is successful */
printf("The original secrets: 0x%x -- 0x%x\n", SECRET1, SECRET2);
printf("The new secrets: 0x%x -- 0x%x\n", secret[0], secret[1]);
return 0;
}
我只需要使用格式字符串"printf(user_input);"打印出secret [0]的地址和值即可.
I just need to print the address and value of secret[0] using the format string "printf(user_input);"
我尝试给出类似"\ x6e \ xaf \ xff \ xff%x%x%x%x%s"的内容.但它不起作用.任何建议将不胜感激.非常感谢.
I have tried giving something like "\x6e\xaf\xff\xff%x%x%x%x%s". but it is not working. Any suggestions will be appreciated. Thanks a lot.
推荐答案
这看起来像是一个类的练习,因此我将提供一些指针,但没有实际的解决方案.
This looks like an exercise for a class, so I'll provide some pointers, but no the actual solution.
您正试图通过提供不受信任的输入来利用此程序.这里有两个相当明显的错误.一个是使用%s的scanf(),因为您可能会溢出缓冲区并覆盖堆栈.另一个是格式字符串漏洞.覆盖堆栈可能无法让您做任何有趣的事情,直到函数返回为止.根据验证攻击是否成功"部分,您可能希望在此之前利用此漏洞,因此我猜测它应该是格式字符串漏洞.
You are attempting to exploit this program, by providing untrusted input. There are two fairly obvious bugs here; one is the scanf() using %s, as you can overflow the buffer and overwrite the stack. The other is a format-string vulnerability. Overwriting the stack probably wouldn't let you do anything interesting until the function returned. Based on the "verify whether your attack is successful" section, you probably want to exploit the vulnerability before then, so I'm guessing it's supposed to be a format string vulnerability.
根据验证部分,您将覆盖secret指向的内存.导致printf写入内存中受控位置的唯一方法是使用%n格式说明符,该说明符将写入给定的指针.
Based on the verification section, you are expected to overwrite the memory pointed to by secret. The only way of causing printf to write to a controlled location in memory is to use the %n format specifier, which writes the given pointer.
现在的诀窍是弄清楚如何沿堆栈走,直到找到合适的指针.方便地,在堆栈上的指针之前有一个用户控制的整数.因此,我们输入一个易于识别的数字(可能是65535,十六进制为ffff),并使用带有很多%x的格式字符串来查看堆栈中的内容.一旦找到,堆栈上的下一个对象就是指针.
Now the trick is to figure out how to walk up the stack until we find the appropriate pointer. Conveniently, there's a user-controlled integer right before the pointer on the stack. So, we enter a number with an easy to spot pattern (maybe 65535, which is ffff in hex), and use a format string with a lot of %xs to see what's on the stack. Once we find that, the next thing on the stack should be the pointer.
嗯.我只是尝试了一下,结果发现它并不是那么简单.堆栈框架的确切布局实际上与声明的顺序无关;对于我来说,不同系统之间也有所不同.相反,我不得不在开头使用很多%lx和一个著名的字符串,并添加一行以打印出实际的指针,所以我会在发现它时知道.然后将相应的%lx替换为%n以通过该指针进行写入.尝试20个左右的%lx并用%n逐个替换,直到您成功覆盖了该指针,这可能是最简单的.
Hmm. I just tried this, and it turns out that it's not quite so simple. The exact layout of the stack frame isn't actually related to the order of declarations; and it differs between different systems for me. Instead, I had to use a lot of %lxs, along with a well-known string at the beginning, and add a line to print out the actual pointer, so I would know when I found it. Then replace the corresponding %lx with the %n to write through that pointer. It may be easiest to just try 20 or so %lxs, and substitute each one by one with %n, until you have managed to overwrite that pointer.
无论如何,希望这足以让您入门.如果您有任何问题,请告诉我.
Anyhow, hope that's enough to get you started. Let me know if you have any questions.
这篇关于格式化字符串攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
