- Notifications
You must be signed in to change notification settings - Fork27
HexHive/printbf
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Generic POSIX printf itself can be Turing complete as shown inControl-FlowBending. Here we takeprintf-oriented programming one step further and preset a brainfuckinterpreter inside a single printf statement.
An attacker can control a printf statement through a format stringvulnerability (where an attacker-controlled string is used as first parameterto a printf-like statement) or if the attacker can control the first argumentto a printf statement through, e.g., a generic memory corruption. See thedisclaimer below for practicalin the wild considerations.
Brainfuck is a Turing-complete language that has the following commands (andtheir mapping to format strings):
>== dataptr++ (%1$.*1$d %2$hn)<== dataptr-- (%1$65535d%1$.*1$d%2$hn)+== (*dataptr)++ (%3$.*3$d %4$hhn)-== (*dataptr)-- (%3$255d%3$.*3$d%4$hhn-- plus check for ovfl).== putchar(*dataptr) (%3$.*3$d%5$hn),== getchar(dataptr) (%13$.*13$d%4$hn)[== if (*dataptr == 0) goto](%1$.*1$d%10$.*10$d%2$hn)]== if (*dataptr != 0) goto[(%1$.*1$d%10$.*10$d%2$hn)
Have a look at the bf_pre.c sources to see what is needed to setup theinterpreter and also look at the tokenizer in toker.py.
Run make in ./src to generate a couple of sample programs (in ./src).
Keep in mind that this printbf interpreter is supposed to be a fun example ofTuring completeness that is available in current programs and not a newgeneric attack vector. This demo is NOT intended to be a genericFORTIFY_SOURCE bypass.
Current systems often either (i) disable %n (which is used to write to memoryand allowed according to the standard but rarely used in practice) or (ii)through a set of of patches that test for attack-like conditions, e.g., ifthe format string is in writable memory.
To use printbf in the wild an attacker will either have to disableFORTIFY_SOURCE checking or get around the checks by placing lining up theformat strings and placing them in readonly memory. The FORTIFY_SOURCEmitigations are glibc specific. The attacker model for printbf assumes thatthe attacker can use memory corruption vulnerabilities to set-up the attack orthat the sources are compiled without enabled FORTIFY_SOURCE defenses.