• Stars
    star
    609
  • Rank 73,614 (Top 2 %)
  • Language Brainfuck
  • Created almost 9 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Brainfuck interpreter inside printf

printbf -- Brainfuck interpreter in printf

Authors

Background

Generic POSIX printf itself can be Turing complete as shown in Control-Flow Bending. Here we take printf-oriented programming one step further and preset a brainfuck interpreter inside a single printf statement.

An attacker can control a printf statement through a format string vulnerability (where an attacker-controlled string is used as first parameter to a printf-like statement) or if the attacker can control the first argument to a printf statement through, e.g., a generic memory corruption. See the disclaimer below for practical in the wild considerations.

Brainfuck is a Turing-complete language that has the following commands (and their mapping to format strings):

  • > == dataptr++ (%1$.*1$d %2$hn)
  • < == dataptr-- (%1$65535d%1$.*1$d%2$hn)
  • + == (*dataptr)++ (%3$.*3$d %4$hhn)
  • - == (*dataptr)-- (%3$255d%3$.*3$d%4$hhn -- plus check for ovfl)
  • . == putchar(*dataptr) (%3$.*3$d%5$hn)
  • , == getchar(dataptr) (%13$.*13$d%4$hn)
  • [ == if (*dataptr == 0) goto ] (%1$.*1$d%10$.*10$d%2$hn)
  • ] == if (*dataptr != 0) goto [ (%1$.*1$d%10$.*10$d%2$hn)

Demo and sources

Have a look at the bf_pre.c sources to see what is needed to setup the interpreter and also look at the tokenizer in toker.py.

Run make in ./src to generate a couple of sample programs (in ./src).

Disclaimer

Keep in mind that this printbf interpreter is supposed to be a fun example of Turing completeness that is available in current programs and not a new generic attack vector. This demo is NOT intended to be a generic FORTIFY_SOURCE bypass.

Current systems often either (i) disable %n (which is used to write to memory and allowed according to the standard but rarely used in practice) or (ii) through a set of of patches that test for attack-like conditions, e.g., if the format string is in writable memory.

To use printbf in the wild an attacker will either have to disable FORTIFY_SOURCE checking or get around the checks by placing lining up the format strings and placing them in readonly memory. The FORTIFY_SOURCE mitigations are glibc specific. The attacker model for printbf assumes that the attacker can use memory corruption vulnerabilities to set-up the attack or that the sources are compiled without enabled FORTIFY_SOURCE defenses.

More Repositories

1

retrowrite

RetroWrite -- Retrofitting compiler passes through binary rewriting
Python
669
star
2

FuzzGen

C++
295
star
3

magma

A ground-truth fuzzing benchmark suite based on real programs with real bugs.
HTML
287
star
4

T-Fuzz

Python
248
star
5

BOPC

Block Oriented Programming -- Compiler
Python
180
star
6

thesis_template

Template for EPFL (BSc, MSc, or doctoral) theses and semester projects
TeX
123
star
7

FuZZan

FuZZan: Efficient Sanitizer Metadata Design for Fuzzing
C++
119
star
8

malWASH

C++
112
star
9

datAFLow

A data-flow-guided fuzzer
Faust
111
star
10

USBFuzz

A Framework for fuzzing USB Drivers by Device Emulation
C
109
star
11

HexType

HexType: Efficient Detection of Type Confusion Errors for C++
C++
100
star
12

FishFuzz

AFL/AFL++ version FishFuzz
C
86
star
13

FirmFuzz

Automated IoT firmware fuzzing framework.
C
76
star
14

SMoTherSpectre

Proof-of-concept code for the SMoTherSpectre exploit.
C
73
star
15

Igor

C
70
star
16

Gramatron

Coverage-guided grammar aware fuzzer that uses grammar automatons
C
63
star
17

libdetox

Fast and efficient binary translator
C
58
star
18

Evocatio

C
55
star
19

memTrace

memTrace, a framework for lightweight memory tracing
C
54
star
20

fuzzing-seed-selection

"Seed Selection for Successful Fuzzing" artifact (at ISSTA 2021)
C++
41
star
21

HexPADS

HexPADS, a host-based, Performance-counter-based Attack Detection System
C
39
star
22

ShadowStack

LLVM Implementation of different ShadowStack schemes for x86_64
C++
37
star
23

RetroWrite-Tutorial

C
37
star
24

GLeeFuzz

LLVM
35
star
25

EPOXY

Root Repo for the EPOXY tool that applies Privilege Overlays on bare-metal systems
C
32
star
26

OSTEP-slides

Makefile
31
star
27

ViDeZZo

ViDeZZo source code.
C
30
star
28

scudo-exploitation

Python
29
star
29

CFIXX

C++
27
star
30

SieveFuzz

Optimizing Directed Fuzzing via Target-tailored Program State Restriction
C
27
star
31

pubstats

Python
26
star
32

teezz-fuzzer

22
star
33

mitiGate

Benchmark to test different stop the exploit mitigations
C
18
star
34

HyperPill

C++
18
star
35

datashield

C++
17
star
36

HexVASAN

C++
16
star
37

AutoBib

AutoBib: create beautiful bib files and html publication pages automagically
Python
14
star
38

Tango

Tango: Extracting Higher-Order Feedback through State Inference
Python
13
star
39

GlobalConfusion

TrustZone Trusted Application 0-Days by Design
C
12
star
40

specrop

Code repository for experiments in SpecROP paper
C
11
star
41

WarpAttack

JavaScript
11
star
42

hexhive.github.io

HexHive homepage
HTML
10
star
43

nesCheck

C++
9
star
44

SyzRisk

Official repository of SyzRisk [ASIA CCS'24]
Go
9
star
45

Crystallizer

A hybrid analysis framework to aid in uncovering deserialization vulnerabilities
Java
9
star
46

retrowrite-dev

Retrowrite Development (Internal) Repository
7
star
47

SURGEON

Performant, flexible, and accurate re-hosting via transplantation
C
7
star
48

EL3XIR

Fuzzing Secure Monitor Implementations
C
6
star
49

EPOXY-llvm

Fork of LLVM for used to create EPOXY
C++
6
star
50

dis-cover

Disassemble binaries and recover as much info as possible
Python
6
star
51

specrop-public

Code repository for experiments in SpecROP paper
C
6
star
52

midas

Systematic Kernel TOCTTOU Protection
C
6
star
53

IOVFI

An accurate and resilient semantic function identifier
Python
6
star
54

simple_attacks

A set of simple buggy programs with corresponding exploits and simple shellcode
C
6
star
55

spill_the_tea

Python
5
star
56

halucinator-tutorial

Tutorial for HALucinator
C
5
star
57

teezz-ca-driver

C
5
star
58

CUP

5
star
59

teezz-caid

TEEzz's Client Application Identification
Python
4
star
60

EPOXY-clang

Fork of Clang used to create EPOXY
C++
4
star
61

adaptSTM

adaptSTM, a competitive, word-based STM library that is based on a global clock and an array of combined global versions (timestamps) and locks.
C
4
star
62

GAENScan

Java
3
star
63

dis-cover-packages-analysis

Debian C++ packages analysis with the dis-cover tool
Jupyter Notebook
3
star
64

teezz-fuzzing-engine

Python
3
star
65

BLURtooth

2
star
66

WOOT21

HTML
2
star
67

teezz-introspection

C++
2
star
68

seccell-seL4

The seL4 microkernel
C
2
star
69

se-valgrind

C
2
star
70

dimva24

HTML
2
star
71

dibartolomeo-msthesis

Luca Di Bartolomeo's master thesis
TeX
1
star
72

security-group.epfl.ch

HTML
1
star
73

teezz-adb

Python adb wrapper.
Python
1
star
74

seccell-riscv-binutils-gdb

C
1
star
75

seccell-riscv-gnu-toolchain

GNU toolchain for RISC-V, including GCC
C
1
star
76

Ancile

C++
1
star
77

securecells

SecureCells website repository
1
star
78

Igor-evaluations

1
star
79

seccell-seL4_libseccells

Userspace library for SecCells-specific functionality
C
1
star
80

seccell-opensbi

C
1
star
81

seccell-sel4-playground

A project based on the seL4 microkernel to implement and test new functionality based on the SecCells architecture
C
1
star
82

seccell-qemu

C
1
star
83

seccell-memcache

In-memory cache
C
1
star
84

virtfuzz-bugs

C
1
star
85

seccell-browser

C
1
star
86

JournalBot

Python
1
star
87

seccell-archtests

Testing basic architectural functionality for SecureCells
C
1
star