-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
384 lines (322 loc) · 14.5 KB
/
index.html
File metadata and controls
384 lines (322 loc) · 14.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="author" content="Sebastian Feustel">
<title>Format String Vulnerability</title>
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
<link rel="stylesheet" href="css/reset.css">
<link rel="stylesheet" href="css/reveal.css">
<style>
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;}
div.column{display: inline-block; vertical-align: top; width: 50%;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
ul.task-list{list-style: none;}
pre > code.sourceCode { white-space: pre; position: relative; }
pre > code.sourceCode > span { display: inline-block; line-height: 1.25; }
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
div.sourceCode { margin: 1em 0; }
pre.sourceCode { margin: 0; }
@media screen {
div.sourceCode { overflow: auto; }
}
@media print {
pre > code.sourceCode { white-space: pre-wrap; }
pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
}
pre.numberSource code
{ counter-reset: source-line 0; }
pre.numberSource code > span
{ position: relative; left: -4em; counter-increment: source-line; }
pre.numberSource code > span > a:first-child::before
{ content: counter(source-line);
position: relative; left: -1em; text-align: right; vertical-align: baseline;
border: none; display: inline-block;
-webkit-touch-callout: none; -webkit-user-select: none;
-khtml-user-select: none; -moz-user-select: none;
-ms-user-select: none; user-select: none;
padding: 0 4px; width: 4em;
color: #aaaaaa;
}
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
div.sourceCode
{ }
@media screen {
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
}
code span.al { color: #ff0000; font-weight: bold; } /* Alert */
code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code span.at { color: #7d9029; } /* Attribute */
code span.bn { color: #40a070; } /* BaseN */
code span.bu { } /* BuiltIn */
code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code span.ch { color: #4070a0; } /* Char */
code span.cn { color: #880000; } /* Constant */
code span.co { color: #60a0b0; font-style: italic; } /* Comment */
code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code span.do { color: #ba2121; font-style: italic; } /* Documentation */
code span.dt { color: #902000; } /* DataType */
code span.dv { color: #40a070; } /* DecVal */
code span.er { color: #ff0000; font-weight: bold; } /* Error */
code span.ex { } /* Extension */
code span.fl { color: #40a070; } /* Float */
code span.fu { color: #06287e; } /* Function */
code span.im { } /* Import */
code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
code span.kw { color: #007020; font-weight: bold; } /* Keyword */
code span.op { color: #666666; } /* Operator */
code span.ot { color: #007020; } /* Other */
code span.pp { color: #bc7a00; } /* Preprocessor */
code span.sc { color: #4070a0; } /* SpecialChar */
code span.ss { color: #bb6688; } /* SpecialString */
code span.st { color: #4070a0; } /* String */
code span.va { color: #19177c; } /* Variable */
code span.vs { color: #4070a0; } /* VerbatimString */
code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
<link rel="stylesheet" href="css/black.css" id="theme">
</head>
<body>
<div class="reveal">
<div class="slides">
<section id="title-slide">
<h1 class="title">Format String Vulnerability</h1>
<p class="author">Sebastian Feustel</p>
</section>
<section id="printf" class="title-slide slide level2">
<h2>Printf()</h2>
</section>
<section id="dokumentation" class="title-slide slide level2">
<h2>Dokumentation</h2>
<ul>
<li><a href="https://man7.org/linux/man-pages/man3/printf.3.html">man 3 printf</a></li>
</ul>
</section>
<section id="code" class="title-slide slide level2">
<h2>Code</h2>
<div class="sourceCode" id="cb1"><pre class="sourceCode c"><code class="sourceCode c"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="pp">#include </span><span class="im"><stdio.h></span></span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a></span>
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a><span class="dt">int</span> main<span class="op">(){</span></span>
<span id="cb1-4"><a href="#cb1-4" aria-hidden="true" tabindex="-1"></a> printf<span class="op">(</span><span class="st">"Sag, mir wen ich grüßen soll: "</span><span class="op">);</span></span>
<span id="cb1-5"><a href="#cb1-5" aria-hidden="true" tabindex="-1"></a> <span class="dt">char</span> in<span class="op">[</span><span class="dv">256</span><span class="op">];</span></span>
<span id="cb1-6"><a href="#cb1-6" aria-hidden="true" tabindex="-1"></a> fgets<span class="op">(</span>in<span class="op">,</span> <span class="dv">256</span><span class="op">,</span> stdin<span class="op">);</span></span>
<span id="cb1-7"><a href="#cb1-7" aria-hidden="true" tabindex="-1"></a> </span>
<span id="cb1-8"><a href="#cb1-8" aria-hidden="true" tabindex="-1"></a> printf<span class="op">(</span>in<span class="op">);</span></span>
<span id="cb1-9"><a href="#cb1-9" aria-hidden="true" tabindex="-1"></a> </span>
<span id="cb1-10"><a href="#cb1-10" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="dv">0</span><span class="op">;</span></span>
<span id="cb1-11"><a href="#cb1-11" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
</section>
<section id="aufbau-von-stack" class="title-slide slide level2">
<h2>Aufbau von Stack</h2>
<p><img src="img/stack.png" width="400"></p>
</section>
<section id="leaking-memory" class="title-slide slide level2">
<h2>Leaking Memory</h2>
</section>
<section id="potenzielle-gefahren" class="title-slide slide level2">
<h2>Potenzielle Gefahren</h2>
<ul>
<li>Crashen vom Programm (DDOS)</li>
<li>Unautorisiertes Auslesen vom Stack Daten</li>
<li>Ausführen von beliebigen Code</li>
</ul>
</section>
<section id="wortklärung" class="title-slide slide level2">
<h2>Wortklärung</h2>
<ul>
<li>Vulnerability</li>
<li>Exploit</li>
<li>Payload</li>
</ul>
</section>
<section id="mittigations" class="title-slide slide level2">
<h2>Mittigations</h2>
<ul>
<li>ASLR (Address space layout randomization)</li>
<li>Stack Cookies</li>
<li>DEP (Data Execution Prevention)</li>
</ul>
</section>
<section>
<section id="heute-immer-noch-ein-problem" class="title-slide slide level2">
<h2>Heute immer noch ein Problem?</h2>
</section>
<section id="webanwendungen" class="slide level3">
<h3>Webanwendungen</h3>
<ul>
<li>Meisten Webserver/Datenbanken/Betriebssysteme basieren auf C oder C++</li>
<li>Formatstrings in Javascript-Code</li>
<li>PHP sprintf-Format-String-Schwachstelle</li>
</ul>
</section>
<section id="in-anderen-progsprachen" class="slide level3">
<h3>In anderen Progsprachen</h3>
<p>Schwachstellen in Format Strings können in jeder größeren Programmiersprache auftreten.</p>
</section></section>
<section id="zusammenfassung" class="title-slide slide level2">
<h2>Zusammenfassung</h2>
<ul>
<li>Userinput ist böse (das können auch files sein)</li>
<li>Daten könnne zu Code werden</li>
<li>Lese Dokumentation von Bibilotheken, die du verwendest.</li>
</ul>
</section>
<section>
<section id="quellen" class="title-slide slide level2">
<h2>Quellen</h2>
</section>
<section id="bücher" class="slide level3">
<h3>Bücher</h3>
<ul>
<li><a href="https://nostarch.com/hacking2.htm">Hacking The Art of Exploitation 2nd Edition</a></li>
<li><a href="https://www.rheinwerk-verlag.de/exploit-code-haerten-bugs-analysieren-hacks-verstehen/">Exploit! Code härten, Bugs analysieren, Hacks verstehen</a></li>
</ul>
</section>
<section id="youtube" class="slide level3">
<h3>Youtube</h3>
<ul>
<li><a href="https://www.youtube.com/watch?v=iyAyN3GFM7A&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN">LiveOverflow Binary Exploitation / Memory Corruption</a></li>
<li><a href="https://www.youtube.com/watch?v=DhVRI33s-D0">John Hammond Format String Vulnerabilities</a></li>
</ul>
</section>
<section id="blogs" class="slide level3">
<h3>Blogs</h3>
<ul>
<li><a href="https://www.wallarm.com/what/format-string-vulnerability">wallarm</a></li>
<li><a href="https://fuzzysecurity.com/tutorials/expDev/10.html">fuzzysecurity</a></li>
<li><a href="https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b">infosecwriteups</a></li>
<li><a href="https://www.securecoding.com/blog/format-string-vulnerability">securecoding</a></li>
<li><a href="https://www.invicti.com/blog/web-security/format-string-vulnerabilities">invicti</a></li>
<li><a href="https://axcheron.github.io/exploit-101-format-strings">axcheron</a></li>
</ul>
</section></section>
<section id="fragen" class="title-slide slide level2">
<h2>Fragen?</h2>
</section>
</div>
</div>
<script src="js/reveal.js"></script>
<!-- reveal.js plugins -->
<script src="js/notes.js"></script>
<script src="js/search.js"></script>
<script src="js/zoom.js"></script>
<script>
// Full list of configuration options available at:
// https://revealjs.com/config/
Reveal.initialize({
// Display controls in the bottom right corner
controls: true,
// Help the user learn the controls by providing hints, for example by
// bouncing the down arrow when they first encounter a vertical slide
controlsTutorial: true,
// Determines where controls appear, "edges" or "bottom-right"
controlsLayout: 'bottom-right',
// Visibility rule for backwards navigation arrows; "faded", "hidden"
// or "visible"
controlsBackArrows: 'faded',
// Display a presentation progress bar
progress: true,
// Display the page number of the current slide
slideNumber: false,
// 'all', 'print', or 'speaker'
showSlideNumber: 'all',
// Add the current slide number to the URL hash so that reloading the
// page/copying the URL will return you to the same slide
hash: false,
// Start with 1 for the hash rather than 0
hashOneBasedIndex: false,
// Flags if we should monitor the hash and change slides accordingly
respondToHashChanges: true,
// Push each slide change to the browser history
history: false,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Disables the default reveal.js slide layout (scaling and centering)
// so that you can use custom CSS layout
disableLayout: false,
// Vertical centering of slides
center: true,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// see https://revealjs.com/vertical-slides/#navigation-mode
navigationMode: 'default',
// Randomizes the order of slides each time the presentation loads
shuffle: false,
// Turns fragments on and off globally
fragments: true,
// Flags whether to include the current fragment in the URL,
// so that reloading brings you to the same fragment position
fragmentInURL: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Flags if we should show a help overlay when the questionmark
// key is pressed
help: true,
// Flags if it should be possible to pause the presentation (blackout)
pause: true,
// Flags if speaker notes should be visible to all viewers
showNotes: false,
// Global override for autoplaying embedded media (null/true/false)
autoPlayMedia: null,
// Global override for preloading lazy-loaded iframes (null/true/false)
preloadIframes: null,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Use this method for navigation when auto-sliding
autoSlideMethod: null,
// Specify the average time in seconds that you think you will spend
// presenting each slide. This is used to show a pacing timer in the
// speaker view
defaultTiming: null,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// The display mode that will be used to show slides
display: 'block',
// Hide cursor if inactive
hideInactiveCursor: true,
// Time before the cursor is hidden (in ms)
hideCursorTime: 5000,
// Opens links in an iframe preview overlay
previewLinks: false,
// Transition style (none/fade/slide/convex/concave/zoom)
transition: 'slide',
// Transition speed (default/fast/slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds
// (none/fade/slide/convex/concave/zoom)
backgroundTransition: 'fade',
// Number of slides away from the current that are visible
viewDistance: 3,
// Number of slides away from the current that are visible on mobile
// devices. It is advisable to set this to a lower number than
// viewDistance in order to save resources.
mobileViewDistance: 2,
// reveal.js plugins
plugins: [
RevealNotes,
RevealSearch,
RevealZoom
]
});
</script>
</body>
</html>