---
title: Format String Vulnerabilities
categories: [cheatsheets]
tags: [security, exploitation]
---

# Format String Exploits

Format string exploits occur when haven user supplied input in as the format string of printf. (or any format string function)

**Functions to look for:**

* printf
* fprintf
* sprintf
* snprintf
* vfprintf
* vprintf
* vsprintf
* vsnprintf


## Reading arbitrary values from the stack

User input is stored on the stack, so by using enough format specifiers you can read the own input

For example:
```
> fstring AAAAAA%x%x%x....%x%x
> output: bff2132a bff29b2a ... 41414141
```

With that you can read strings from arbitrary adresses using:

`fstring Þ­¾ï%x%x...%x%x%s`


## Using direkt parameter access

all those %x%x%x are not needed, you can have a direct parameter acces with:
fstring "%3$x" to access the 3rd value.