format string exploit

thorsten fly_b747 at gmx.de
Tue Aug 8 10:27:03 PDT 2006


thorsten wrote:
>> Do any of you have gcc3 ssp to confirm this code is aborted
>> with -fstack-protector-all, and drops to shell with
> -fno-stack-protector-all?
>> This code has assembly, you need to pass -no-pie too. I clearly remember
>> stopping using libsafe because ssp aborted all the same exploits libsafe
>> would and more.
>>
>> robert
> 
> I have gcc-3.4.5 ssp, tried the exploit. The first tries have been
> bailed out by my grsec kernel (which in general is a good thing but this
> time was not intended  ;-)  ).
> My second tries with a reguar kernel just gave a segmentation fault, no
> shell regardless of -fno-stack-protector or not. I will have a closer
> look within the next 1 or two days, keep you updated.
> 
> thorsten
> 

Ok, I forgot -no-pie which prevented the shell to be launched. SSP does
NOT prevent the format string exploit!
See attached files, output as follows (exploit.c is a simple buffer
overflow to show difference to canary-exploit)

root at linux:~/exp#
root at linux:~/exp# make
gcc -no-pie -ggdb -fstack-protector-all -o canary-exploit
canary-exploit.c
gcc -no-pie -ggdb -fno-stack-protector-all -o canary-exploit-no-ssp
canary-exploit.c
gcc -no-pie -ggdb -fstack-protector-all -o exploit exploit.c
gcc -no-pie -ggdb -fno-stack-protector-all -o exploit-no-ssp exploit.c
root at linux:~/exp#


root at linux:~/exp# ./exploit 111111111111111111111111111111111111111
argv: 111111111111111111111111111111111111111
exploit: stack smashing attack in function overflow()
Aborted
root at linux:~/exp#
root at linux:~/exp#


root at linux:~/exp# ./exploit-no-ssp 111111111111111111111111111111111111111
argv: 111111111111111111111111111111111111111
Segmentation fault
root at linux:~/exp#
root at linux:~/exp#


root at linux:~/exp# ./canary-exploit
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-3.1# exit
exit

root at linux:~/exp# ./canary-exploit-no-ssp
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-3.1# exit
exit
root at linux:~/exp#


thorsten
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Makefile
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060808/64d9c6b1/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: canary-exploit.c
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060808/64d9c6b1/attachment.c>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: exploit.c
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060808/64d9c6b1/attachment-0001.c>


More information about the hlfs-dev mailing list