|Number of watchers on Github||419|
|Number of open issues||0|
|Average time to close an issue||about 5 hours|
|Average time to merge a PR||less than a minute|
|Open pull requests||0+|
|Closed pull requests||1+|
|Last commit||6 months ago|
|Repo Created||almost 5 years ago|
|Repo Last Updated||3 months ago|
|Organization / Author||hexhive|
|Do you use printbf? Leave a review!|
|View printbf activity|
|View on github|
|Book a Mock Interview With Me (Silicon Valley Engineering Leader, 100s of interviews conducted)|
Software engineers: It's time to get promoted. Starting NOW! Subscribe to my mailing list and I will equip you with tools, tips and actionable advice to grow in your career.
Generic POSIX printf itself can be Turing complete as shown in Control-Flow Bending. Here we take printf-oriented programming one step further and preset a brainfuck interpreter inside a single printf statement.
An attacker can control a printf statement through a format string vulnerability (where an attacker-controlled string is used as first parameter to a printf-like statement) or if the attacker can control the first argument to a printf statement through, e.g., a generic memory corruption. See the disclaimer below for practical in the wild considerations.
Brainfuck is a Turing-complete language that has the following commands (and their mapping to format strings):
>== dataptr++ (
<== dataptr-- (
+== (*dataptr)++ (
-== (*dataptr)-- (
%3$255d%3$.*3$d%4$hhn-- plus check for ovfl)
.== putchar(*dataptr) (
,== getchar(dataptr) (
[== if (*dataptr == 0) goto
]== if (*dataptr != 0) goto
Have a look at the bf_pre.c sources to see what is needed to setup the interpreter and also look at the tokenizer in toker.py.
Run make in ./src to generate a couple of sample programs (in ./src).
Keep in mind that this printbf interpreter is supposed to be a fun example of Turing completeness that is available in current programs and not a new generic attack vector. This demo is NOT intended to be a generic FORTIFY_SOURCE bypass.
Current systems often either (i) disable %n (which is used to write to memory and allowed according to the standard but rarely used in practice) or (ii) through a set of of patches that test for attack-like conditions, e.g., if the format string is in writable memory.
To use printbf in the wild an attacker will either have to disable FORTIFY_SOURCE checking or get around the checks by placing lining up the format strings and placing them in readonly memory. The FORTIFY_SOURCE mitigations are glibc specific. The attacker model for printbf assumes that the attacker can use memory corruption vulnerabilities to set-up the attack or that the sources are compiled without enabled FORTIFY_SOURCE defenses.