How to overwrite variable with format string attack

Question

I am attempting to overwrite a variable in a c program using a format string attack. This IS a homework assignment for a security class, and I am not asking for you to do my homework for me. However I am struggling to get this to work and I can't understand why. Also, I understand that there have been other questions asked on this topic, but none of those posts were able to help me.

I am working on a VM that my professor has set up for me. The vulnerable code was built by him so I'm not sure how he did it, the OS is Linux 3.13.0-65-generic i686, and ASLR is supposed to have been disabled by the professor. We did not receive any instructions about setting up an environment to allow this attack to succeed because the environment was completely set up by the professor. Also I don't have sudo permissions on the VM to do those things myself.

This is the code of the vulnerable application that my attacks target:

#include <stdio.h>

#ifndef MAGICNUM
#define MAGICNUM 0x41424344
#endif

int x = 0;

void vuln() {
  int y = 1;
  char buf[128];

  printf("This is vuln() \tx = %08x \ty = %08x\n", x, y);
  printf("Enter your input: ");
  scanf("%127s", buf);
  printf("You entered: ");
  printf(buf);
  printf("\n\n");
  printf("Now x = %08x and y = %08x\n", x, y);

  if(x==MAGICNUM) {
    printf("Success!\n");
    system("/bin/sh");
  }
  else {
    puts("Sorry, try again.");
  }

  return;
}

int main(int argc, char* argv[])
{
  vuln();
  return 0;
}

Once again my goal is to overwrite the variable x using a format string attack. The homework assignment wants me to overwrite it with MAGICNUM but for now I am simply trying to assign any arbitrary value to x.

Using GDB I was able to find that the address of x is 0x0804a030.

I know that I need to use the %n format specifier and these are some examples of input strings I have tried so far:

"\x30\xa0\x04\x08%08x.%08x.%08x.%08x%n"
"\x30\xa0\x04\x08%8s%n"
"\x30\xa0\x04\x08%.8%n"

All of those input strings trigger a segmentation fault and I can't figure out why they aren't working.

Any insight on what I can do to successfully overwrite x would be great.

perhaps you can find the vuln by asking your compiler for assembler output. — Jasen, Nov 15 '15 at 10:12
is the code a constraint, I mean, can you change it for the exercise? BTW, not sure the %n is the best way to do it, generally speaking buffer overflows do the trick very well, for example in you code, if you enter a very long string in buf (bigger than 128) (when value is asked), you'll figure out that y is modified. — OznOg, Nov 15 '15 at 10:21
@OznOg I don't have write permissions to the code. But I have copied it to a new file where I can make changes for testing. I agree with you about buffer overflows being better, but I am supposed to be able to do it with %n — tjensen, Nov 15 '15 at 10:25
@tjensen is the code you gave the original one? if not, could we see the original code (maybe you introduced modifications that fools us)? — OznOg, Nov 15 '15 at 10:29
@OznOg Yes this is the original code. Sorry I wasn't clear about that. — tjensen, Nov 15 '15 at 10:31
Possible duplicate of [How to use Format String Attack](http://stackoverflow.com/questions/27018864/how-to-use-format-string-attack) — moooeeeep, Nov 15 '15 at 18:40
The segfault is probably produced by some stack protection mechanism. How do you build your code? What is your OS? Did you take care of ASLR, SSP and such? Did you receive instructions about how to set up a testing environment that allows an attack like this to succeed? (which?) — moooeeeep, Nov 15 '15 at 20:55
@moooeeeep I am working on a VM that my professor has set up for me. The vulnerable code was built by him so I'm not sure how he did it, the OS is Linux 3.13.0-65-generic i686, and ASLR is supposed to have been disabled by the professor. We did not receive any instructions about setting up an environment to allow this attack to succeed because the environment was completely set up by the professor. Also I don't have sudo permissions on the VM to do those things myself. — tjensen, Nov 15 '15 at 21:10

score 0 · Answer 1 · edited Nov 23 '18 at 04:46

0

I think you need to overflow the buffer size he assigned. Look at the variable buf[128]. Google about stack buffer overflow and try to identify what happens if you pass a parameter longer than 127 characters to the program.

edited Nov 23 '18 at 04:46

K.Dᴀᴠɪs

9,945
11
33
43

answered Sep 26 '17 at 22:36

Alejandro

1
1

score -2 · Answer 2 · answered Nov 15 '15 at 15:22

-2

In my humble opinion, I think this is not possible.

x is in global address space (.data) and all other variables are in stack space. In a buffer overrun attack, you manage to overwrite the memory in the neigbourhood of the buffer. But here the buffer and the variable can be miles apart. There are no assumptions you can make about their distance so you cannot determine how much overrun to cause to overwrite x.

Further, there are no instructions or procedure calls that can cause an overrun. The scanf is nicely shielded to get at most 127 characters and the printf statements print to stdout and so cannot cause an overrun.

Should your professor provide you a solution that does overwrite x, I would be very interested to hear it.

answered Nov 15 '15 at 15:22

Paul Ogilvie

25,048
4
23
41

This question is not about a buffer overflow, but about uncontrolled format string, which might let printf wreak havoc memorywise. And the code clearly has a vulnerability a user could exploit. – moooeeeep Nov 15 '15 at 17:56
@mooeeeep, as you say, _might_, but not guaranteed/deterministic. You _could_ enter an input with lots of format specifiers like `%s%d%.*f` but you can't _guarantee_ that will overwrite the global variable `x`. Hence, in my humble opinion it cannot be done [deterministicaly]. – Paul Ogilvie Nov 15 '15 at 19:57

How to overwrite variable with format string attack

2 Answers2