Sign in

Analyst | Cybersec Enthusiast | CEH | CCNA

WHAT IS FORMAT STRING VULNERABILITY?

A Format String attack can occur when an input string data is processed by a vulnerable function so that attacker can pass the formats to exploit the stack values with the help of format string functions/printf() family functions

By Format String vulnerability, an attacker can execute code, read the stack values, or cause a segmentation fault in the application

COMMON FORMATS IN PRINTF() FAMILY

  1. %c — Formats a single character
  2. %d — Formats an integer in decimal value
  3. %f — Formats float in decimal value
  4. %p — Formats a pointer to address location
  5. %s — Formats a string
  6. %x — Formats a hexadecimal value
  7. %n…


Shellcode is a piece of code performs specific action

Shellcode is written in ASM

Shellcode is architecture specific, so it is non portable between different processor types

Shellcode is typically written to directly manipulate processor registers to set them up for various system calls made with opcodes

When the ASM code has been written to perform the operation desired, it must then be converted to machine code and freed of any “null bytes” , because it must be free of any null bytes because many string operators such as strcpy() terminate when hitting them

SYSTEM CALLS (SYSCALL)

System call (commonly abbreviated to syscall)…


A buffer overflow occurs when the size of data exceeds the storage capacity of the memory buffer

As a result, the program will try to write the data to the buffer which overwrites nearer memory locations Instruction Pointer(IP), Base Pointer(BP)

C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they don’t have built-in safeguards against overwriting or accessing data in their memory

Mac OSX, Windows, and Linux all use code written in C and C++.

WHAT ARE BUFFERS?

Buffers are memory storage regions that temporarily hold data while it is being transferred from one location to another

CAUSE & MITIGATTION


SPAWN SHELL USING SIMPLE GOT OVERWRITE

UNDERSTANDING BASICS:

PROCEDURE LINKAGE TABLE (PLT)

Procedure Linkage Table(PLT) is a “read-only” section

It is responsible for calling the dynamic linker during and after the program runtime to resolve the addresses of the requested functions

During compilation we cannot mention these addresses because the function addresses of each system is unknown and shared object is also unavailable

So,PLT plays a vital role in resolving these function addresses during runtime

PLT table is much larger than the GOT table

Each program/binary has its own PLT table which is useful to itself only

When symbol resolution is requested, the request is made to the PLT by the calling…


Ret2Libc — -> Return To LIBC

LIBC

The term “libc” is commonly used as a shorthand for the “standard C library”, a library of standard functions that can be used by all C programs (and sometimes by programs in other languages).

For more on LIBC

METHODOLOGY

Whenever a function is called by a program, the arguments required for this function are loaded into stack so that it can be pointed by Base Pointer(BP) easily to process the instructions.

We cannot point an arbitraty address into Instruction Pointer (IP) to run our shellcode from that address.

This will fail, because there is no execution of shellcode when NX bit…

AidenPearce369

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store