Format String Attack

This is a discussion on Format String Attack within the C Programming forums, part of the General Programming Boards category; Hi, I am studying some format string vulnerabilities these days and i have one question. Is it possible to read ...

  1. #1
    Registered User
    Join Date
    Dec 2006
    Posts
    60

    Format String Attack

    Hi,
    I am studying some format string vulnerabilities these days and i have one question.
    Is it possible to read from/write to arbitrary memory locations? I am experiencing some difficulties when the address that i want to specify contains a NULL character (so it is supposed that the format string ends there).

    You can easily see that when one needs to write something like the following:

    Code:
    printf("\x12\x24\xef\x00\%n);
    So, is there a way to overcome this difficulty?
    Thanks in advance.

    PS: Please don't start accusing me of trying to crack-hack-break into an application.
    This is knowledge that i want to have, one way or another. The way that i will use it is my own responsibility, and I am the only one to blame if something is illegal. Let's just share knowledge here..

  2. #2
    Registered User
    Join Date
    Oct 2006
    Posts
    250
    * Problem with copying an exe file
    * I am willing to use threads in my program combined with winsock32 library.
    * Hiding proccess from task manager
    * Registry manipulation
    * I would like to know if there is a way to implement a simple programm that connects to a server and asks for an html (or other, txt etc..) file.

    Interesting history of questions you have there...

  3. #3
    Registered User
    Join Date
    Dec 2006
    Posts
    60
    It's interesting knowledge, either you like it or not.
    If you have no intension to answer my question, please don't answer at all.
    I want to know and i am not ashamed of that.

  4. #4
    Registered User
    Join Date
    Sep 2006
    Posts
    8,868
    If the OS gives a program virtual memory which varies each time (for all practical purposes), I don't see what good a fixed address in memory will do you.

    In DOS days this was an arcane science, but those days are long gone.

    I don't believe you'll get much joy on this forum. Your forthright honesty is refreshing, but that doesn't change the opinion we have for your ultimate motive. Your motive is screaming louder than your post, in this case.

    If you want to know the security failures of an OS, you'll need to go to a forum or newsgroup dedicated to OS security, hacking, and cracking, etc. C is a language independent of any one OS, and will be staying that way.

    Keep your own security software on full alert when you go to these sites, because they attack/hack/crack each other a great deal, to test their theories and latest hacking software code.

  5. #5
    and the hat of wrongness Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    32,498
    The format string attack is only possible if you do something dumb like

    fgets( message, sizeof message, stdin );
    printf( message );

    In other words, you pass a completely untrusted user input string direct to printf as the format string.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.
    I support http://www.ukip.org/ as the first necessary step to a free Europe.

  6. #6
    Registered User
    Join Date
    Dec 2006
    Posts
    60
    Quote Originally Posted by Adak View Post
    If the OS gives a program virtual memory which varies each time (for all practical purposes), I don't see what good a fixed address in memory will do you.
    ...

    Yes, i suppose you are right but it is reasonable to consider that if you have access to the application during runtime, you can deal with this difficulty (pls correct me if i'm wrong).

    About the "cracking" part..
    Just consider for a sec that those of you who have the appropriate knowledge to accuse me of cracking must have earned it some way.. And i am only trying to do the same thing..
    (It is considerable though that it's way more common for people who make "dangerous" questions to be accused of cracking, rather than people who hold the "dangerous" answers)..
    Anyway, i won't try to convince you about my intentions any more..

    Unless someone has something useful to say, let this thread be forgotten (until i ask a cracking related question again, so there will be one more reason to point me as "cracker" )

    So long..
    Last edited by tezcatlipooca; 06-10-2007 at 04:24 PM.

  7. #7
    Deathray Engineer MacGyver's Avatar
    Join Date
    Mar 2007
    Posts
    3,211
    Those that have gained "cracking" knowledge, but have no desire to deploy it (and perhaps to actively fight against it) almost certainly did not come to a forum begging for answers for it. Script kiddies do that kind of thing.

  8. #8
    Registered User
    Join Date
    Dec 2006
    Posts
    60
    Quote Originally Posted by MacGyver View Post
    Those that have gained "cracking" knowledge, but have no desire to deploy it (and perhaps to actively fight against it) almost certainly did not come to a forum begging for answers for it. Script kiddies do that kind of thing.
    1) #define "begging"

    2) If you really have something useful to say but you are afraid to share it because of my dirty-looking intentions, you can at least tell me if an answer exists and let me find it on my own or find other ways of making me search for the knowledge that i seek(or do script kiddies do that too?).It seems to me that sometimes people prefer "easy" answers on interesting looking threads


    With no manner of arguing at all,

    tezcatlipooca

  9. #9
    Deathray Engineer MacGyver's Avatar
    Join Date
    Mar 2007
    Posts
    3,211
    If it's morally wrong to me to share this knowledge with you, it's also morally wrong for me to point you in the direction to learn it.

    Do you lack any and all understanding of morality?

    Besides which, I was under the impression that discussing cracking-related items was prohibited on these forums.
    Last edited by MacGyver; 06-10-2007 at 07:36 PM.

  10. #10
    Woof, woof! zacs7's Avatar
    Join Date
    Mar 2007
    Location
    Australia
    Posts
    3,459
    Long live the skiddies

    And if there was some 'attack vulnerability' would it really be in our best interests to tell you? Considering no doubt you'd be planning to 'test' it on software various members may have untimely contributed to.

    And I would say this falls under rule number 6,
    Quote Originally Posted by http://cboard.cprogramming.com/announcement.php?f=4&a=51
    6. Messages relating to cracking, (erroneously called "hacking" by many), copyright violations, or other illegal activities will be deleted. This includes all messages reguarding to keyloggers.
    Last edited by zacs7; 06-10-2007 at 07:39 PM.

  11. #11
    Algorithm Dissector iMalc's Avatar
    Join Date
    Dec 2005
    Location
    New Zealand
    Posts
    6,302
    Quote Originally Posted by tezcatlipooca View Post
    Hi,
    You can easily see that when one needs to write something like the following:

    Code:
    printf("\x12\x24\xef\x00\%n);
    What I can easily see is that that code doesn't compile.
    My homepage
    Advice: Take only as directed - If symptoms persist, please see your debugger

    Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"

  12. #12
    Captain Crash brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,239
    Quote Originally Posted by Adak View Post
    If the OS gives a program virtual memory which varies each time (for all practical purposes), I don't see what good a fixed address in memory will do you.
    Most linkers DO place code at fixed addresses. Dynamic libraries can be loaded anywhere in memory, but that's no reason to put them someplace different each time a program executes. Knowing where code is loaded on a particular system has to be determined by trial and error, but once you know the address layout, it isn't going to change.

    Unless of course you're using a system that purposefully randomizes load addresses for exactly this reason.

    I don't believe you'll get much joy on this forum. Your forthright honesty is refreshing, but that doesn't change the opinion we have for your ultimate motive. Your motive is screaming louder than your post, in this case.
    I dunno. You can't learn how to write secure code without also learning how to break it.

  13. #13
    Deathray Engineer MacGyver's Avatar
    Join Date
    Mar 2007
    Posts
    3,211
    Quote Originally Posted by brewbuck View Post
    I dunno. You can't learn how to write secure code without also learning how to break it.
    You needed to know how to exploit a buffer overflow before knowing to use fgets() over gets()?

  14. #14
    Captain Crash brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,239
    Quote Originally Posted by MacGyver View Post
    You needed to know how to exploit a buffer overflow before knowing to use fgets() over gets()?
    I think the lesson is learned more completely when you see a failure right before your eyes. I see no reason to stick our heads in the sand and pretend that if we don't inform anybody, all the crackers will just disappear.

    I've messed around with this stuff myself, doesn't make me an antisocial.

  15. #15
    Deathray Engineer MacGyver's Avatar
    Join Date
    Mar 2007
    Posts
    3,211
    I think your premise is incorrect that you need this knowledge to be a safe programmer.

    With that said, you are correct that learning this may help you with a greater understanding of what happens under the hood and why we do the safety precautions that we do. I do not pretend crackers will disappear if we don't teach them how to abuse technology, but I do think it's completely ridiculous to help this idiot. Everything in his posts just screams that he's a stupid wannabe haxor. At the very least, all we would be doing by helping people with bad intentions is working towards adding yet another idiot to the ranks of people that will be sending out malware to screw over people that don't know how to better secure their computers. We whine and complain for every spammer and virus writer that plague the internet, but when some idiot wants to know how to do the same, there almost always seems like there's someone to teach the overeager pupil.

    Real cracking should not be discussed like this where it makes the knowledge easy to abuse. Perhaps one person is not a problem, but of all the people that could be reading topics like this.... how many people do you think would mind bending the rules? Perhaps I'm wrong, and we should be going towards an open-ended policy of sharing all information, but at this point, I know what damage one idiot can do, and I don't feel like helping him.

    If he's really a genius that just wants to learn it for the sake of fighting against it, or better protecting his code, he wouldn't be on the forums here asking about it.

    I would even venture to guess, brewbuck, that you never asked a question related to cracking on these forums, and that's not how you learned it. Correct me if I'm wrong.

Page 1 of 2 12 LastLast
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. String Class
    By BKurosawa in forum C++ Programming
    Replies: 117
    Last Post: 08-09-2007, 01:02 AM
  2. Linked List Help
    By CJ7Mudrover in forum C Programming
    Replies: 9
    Last Post: 03-10-2004, 09:33 PM
  3. Classes inheretance problem...
    By NANO in forum C++ Programming
    Replies: 12
    Last Post: 12-09-2002, 02:23 PM
  4. creating class, and linking files
    By JCK in forum C++ Programming
    Replies: 12
    Last Post: 12-08-2002, 01:45 PM
  5. Again Character Count, Word Count and String Search
    By client in forum C Programming
    Replies: 2
    Last Post: 05-09-2002, 11:40 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21