formatstring.md 858 B


title: Format String Vulnerabilities categories: [cheatsheets]

tags: [security, exploitation]

Format String Exploits

Format string exploits occur when haven user supplied input in as the format string of printf. (or any format string function)

Functions to look for:

  • printf
  • fprintf
  • sprintf
  • snprintf
  • vfprintf
  • vprintf
  • vsprintf
  • vsnprintf

Reading arbitrary values from the stack

User input is stored on the stack, so by using enough format specifiers you can read the own input

For example:

> fstring AAAAAA%x%x%x....%x%x
> output: bff2132a bff29b2a ... 41414141

With that you can read strings from arbitrary adresses using:

fstring ޭ��%x%x...%x%x%s

Using direkt parameter access

all those %x%x%x are not needed, you can have a direct parameter acces with: fstring "%3$x" to access the 3rd value.