2

Is the exploitation of a format string vulnerability possible if the number of characters you're allowed to enter is limited?

Let's say I'm just allowed to enter input with 23 characters. I can read the stack like this of course:

AAAA%1$08xBBBBBBBBBBBBB
...
AAAA%576$08xBBBBBBBBBBB

But is it possible to exploit it somehow? (Shell, ...)

The system behind is a Linux Server I am accessing with netcat. It is running a simple ELF which makes the string length check and then calls the vulnerable printf function.

Stjubit
  • 21
  • 2
  • 1
    The question "Is ___ possible?" is very different from "Can you give me an example of ___?". When doing defensive security, I always assume things are possible :P (may want to edit the title) – Mike Ounsworth Aug 28 '18 at 16:22
  • I agree, but I don't need an example for now. I just want to know if it is even possible. – Stjubit Aug 29 '18 at 09:00
  • Yes 23 seems an okay bound to exploit. Show us the binary/code and I'll be happy to help. – sudhackar Sep 10 '18 at 02:34

1 Answers1

0

PRINTF is not vulnerable on its own, so probably need to explain what it does with the output.

looks like you only need 2-3 characters

Read this: https://www.owasp.org/index.php/Format_string_attack

user2505690
  • 72
  • 3
  • In my case, it is definitely vulnerable. I already read the whole stack and know at which position my payload is. However, it is not my question if it is vulnerable. My question is: Is it possible to exploit it with a limited number of characters? With "exploit" I mean popping up a shell, RCE and so on. – Stjubit Aug 29 '18 at 08:57
  • you'd still have to have memory allocated I think. Do you have the source code? – user2505690 Aug 29 '18 at 16:40
  • I have to reconnect to the netcat server every time I send a string. So the memory stays allocated, because the ELF is executed with every reconnect. I don't have the source code, but I'm 100% sure that it is just a string length check and then the printf(input) function. – Stjubit Aug 30 '18 at 06:34
  • Notepad has an encoding hack that Microsoft determined is not fixable and not a security issue. It’s posted on stackoverflow.com. Educational on UTF8 – makerofthings7 Sep 13 '21 at 00:28