Format String Exploits


CSE 494 - Spring 2023

Exploiting format string vulnerabilities is like a locksmith using a special set of tools to subtly manipulate the inner workings of a lock. It involves delicately inserting custom-crafted sequences into a program's output functions, much like a skilled safecracker tuning into the faint clicks of a safe's mechanism. Each carefully chosen character or specifier in the format string acts like a precise tweak to the internal gears, potentially revealing hidden information or granting control over the system's memory. This technique is a blend of art and science, requiring a deep understanding of the software's architecture and a creative approach to bending its functionalities beyond their intended limits. It's a thrilling intellectual puzzle, unlocking the secrets of a program from the inside out.


Lectures and Reading

This material was generated by ChatGPT-4 from a transcript of the Discord help channel for this module.

  • When dealing with format string challenges, it's important to understand the difference between %n, %hn, and %hhn. Each one has its purpose, and depending on the size of the data you want to write, one might be more suitable than the others.
  • In some cases, you might need to overwrite only a single byte of a return address to achieve the desired result. Be creative and look for opportunities to use this technique.
  • Consider using the $ specifier to write to pointers on the stack if the challenge allows it. This can be helpful for modifying the return address in some situations.
  • Pwntools is a powerful library for dealing with format strings, but it might not always work perfectly for every scenario. If you encounter issues with it, consider simplifying your approach and building up the solution manually. Pwntools has useful functions like fmtstr_payload() and leak_stack(), which can be helpful in building your payload.
  • When attempting to solve more difficult format string challenges, it's crucial to understand how stack addresses work and how they can change during runtime. In some cases, overwriting a whole address might not be an option due to a lack of leaks.
  • For some challenges, the intended solution might involve using tricks or techniques that are not strictly related to format string payloads. Be open to exploring new ideas and approaches to find the solution.
  • It's possible that there are multiple ways to solve a challenge, especially when it comes to ROP (Return-Oriented Programming). Don't be afraid to discuss and compare solutions with others to learn new techniques.
  • When dealing with more complex challenges, remember that theory and practice might differ. Keep testing and refining your ideas until you find a working solution.
  • Finally, don't hesitate to ask for help and collaborate with others. Sharing knowledge and discussing solutions can lead to a deeper understanding of the subject and help you become more proficient in solving cybersecurity challenges.

Challenges

Use a format string exploit to reveal a string stored on the stack

Use a formatstring exploit to reveal a string stored on the stack

Use a format string exploit to reveal a string stored on the stack

Use a format string exploit to reveal a string stored on the stack

Use a format string exploit to read the flag directly from the .bss section

Use a format string exploit to read the flag directly from the .bss section

Use a format string exploit to set a global variable

Use a format string exploit to set a global variable

Use a format string exploit to set a larger global variable

Use a format string exploit to set a larger global variable

Use a format string exploit to copy a value and overwrite a global variable

Use a format string exploit to copy a value and overwrite a global variable

Use a format string exploit to overwrite a got entry

Use a format string exploit to overwrite a got entry

Use a format string exploit to call win

Use a format string exploit to call win

Use a format string exploit to call win. this time, with no loop.

Use a format string exploit to call win. this time, with no loop.

Chain a format string exploit into rop

Chain a format string exploit into rop

Chain a format string exploit into rop, now with pie!

Chain a format string exploit into rop, now with pie!

Chain a format string exploit into ROP, now with pie and input filtering!

Chain a format string exploit into ROP, now with pie and input filtering!


Ranking

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score