If you're using the example code from the book (below), at some point you should reach the "AAAAAAAA" pattern (0x41). Note that, since you're running it on a 64-bit machine that stores elements in the stack with 8 bytes each, you should run it with $ ./fmtstr "AAAAAAAA %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x" instead, or you will miss part of each element on the stack.

#include <stdlib.h>
int main(int argc, char *argv[]){
        static int canary=0;   // stores the canary value in .data section
        char temp[2048];       // string to hold large temp string
      strcpy(temp, argv[1]);   // take argv1 input and jam into temp
      printf(temp);            // print value of temp
      printf("\n");            // print carriage return
      printf("Canary at 0x%08x = 0x%08x\n", &canary, canary); //print canary
}

You should pay attention to the quote in the book that states:

The fact that the fourth item shown (from the stack) was our format string depends on the nature of the format function used and the location of the vulnerable call in the vulnerable program. To find this value, simply use brute force and keep increasing the number of %08x tokens until the beginning of the format string is found. For our simple example (fmtstr), the distance, called the offset, is defined as 4.

Remember that the parameter being parsed to printf isn't the string itself, but the address of the string. So it's position on the memory layout of the program in relation to the printf stack is what will define how further you'll have to search to find it.

Answer from murphsghost on Stack Exchange
Top answer
1 of 1
6

If you're using the example code from the book (below), at some point you should reach the "AAAAAAAA" pattern (0x41). Note that, since you're running it on a 64-bit machine that stores elements in the stack with 8 bytes each, you should run it with $ ./fmtstr "AAAAAAAA %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x %016x" instead, or you will miss part of each element on the stack.

#include <stdlib.h>
int main(int argc, char *argv[]){
        static int canary=0;   // stores the canary value in .data section
        char temp[2048];       // string to hold large temp string
      strcpy(temp, argv[1]);   // take argv1 input and jam into temp
      printf(temp);            // print value of temp
      printf("\n");            // print carriage return
      printf("Canary at 0x%08x = 0x%08x\n", &canary, canary); //print canary
}

You should pay attention to the quote in the book that states:

The fact that the fourth item shown (from the stack) was our format string depends on the nature of the format function used and the location of the vulnerable call in the vulnerable program. To find this value, simply use brute force and keep increasing the number of %08x tokens until the beginning of the format string is found. For our simple example (fmtstr), the distance, called the offset, is defined as 4.

Remember that the parameter being parsed to printf isn't the string itself, but the address of the string. So it's position on the memory layout of the program in relation to the printf stack is what will define how further you'll have to search to find it.

🌐
Oracle
docs.oracle.com › cd › E19253-01 › 816-5138 › convert-13 › index.html
Format String Macros
Macros for printf(3C) format specifiers exist for printing 8-bit, 16-bit, 32-bit, and 64-bit integers, the smallest integer types, and the biggest integer types, in decimal, octal, unsigned, and hexadecimal.
Discussions

c - How do you format an unsigned long long int using printf? - Stack Overflow
I would suggest using using stdint.h and being explicit about the number of bits in your variable. We're still in a period of transition between 32 and 64 bit architectures, and "unsigned long long int" doesn't mean the same thing on both. More on stackoverflow.com
🌐 stackoverflow.com
Format string exploitation on 64 bit. How about the null bytes?
What is the function taking the input ? It depends on what are the stop chars for that function. Also what is your aim in exploit ? To overwrite some address with %n or something else ? Like depending on target partial overwrite or something can be tried. I also have an article on format strings on 64 bit. https://www.ret2rop.com/2018/10/format-strings-got-overwrite-remote.html More on reddit.com
🌐 r/LiveOverflow
2
6
April 26, 2020
64-bit Format String Exploitation.

what's the difference to x86 that is difficult for you?

More on reddit.com
🌐 r/LiveOverflow
3
2
May 5, 2017
linux - Format string vulnerability exploit in 64 bits systems - Stack Overflow
I am studying the format string vulnerability on my 64-bit ubuntu 14.04 machine. The code is very simple: #include int target = 0; void vuln(char *buffer) { printf(buffe... More on stackoverflow.com
🌐 stackoverflow.com
September 12, 2016
🌐
Oracle
docs.oracle.com › cd › E19455-01 › 806-0477 › chapter3-13 › index.html
Format String Macros (Solaris 64-bit Developer's Guide)
Macros for printf(3C) format specifiers exist for printing 8-bit, 16-bit, 32-bit, and 64-bit integers, the smallest integer types, and the biggest integer types, in decimal, octal, unsigned, and hexadecimal.
🌐
nixhacker
nixhacker.com › case-of-format-string-in-64-bit-is-it-still-critical
Impact of x64 calling convention in format string exploitation
October 19, 2020 - Calling convention Rule 2: In 64 bit windows, while calling a function, even tough the first 4 parameters are passed through registers, still space for them are allocated in stack for optimization purpose. This space of 32 bytes is called home space or shadow space. Hence, in the above case we are not getting the data of first 32 bytes from rsp in our string since that space is reserved home space. After keeping that in mind, you can create your string with format characters in such a way that you reach to the saved password.
🌐
Seedsecuritylabs
seedsecuritylabs.org › Labs_20.04 › Files › Format_String_x64 › Format_String_x64.pdf pdf
SEED Labs – Format String Vulnerability Lab (64-bit) 1
supports 64-bit address space, only the address from 0x00 through 0x00007FFFFFFFFFFF is allowed. That means for every address (8 bytes), the highest two bytes are always zeros. This causes a problem. In the attack, we need to place addresses inside the format string.
🌐
Reddit
reddit.com › r/liveoverflow › format string exploitation on 64 bit. how about the null bytes?
r/LiveOverflow on Reddit: Format string exploitation on 64 bit. How about the null bytes?
April 26, 2020 -

I'm new to the argument, but I'm trying to do some very simple exercises on format string vulnerability. I'm unfortunately incurring in a problem: when I write the target address in which I will write with %_c (for example \x38\xdb\xff\xff\xff\x7f for 0x00007fffffffdb38) im not able to replicate the 0x0000 right before 7fffffffdb38. So when I try to run it the program will try to write with %c in the address : 0x[ _ _ _ --> random values that were previously there]7fffffffdb38. How can I actually write there 0x00007fffffffdb38? Obviously by doing : \x38\xdb\xff\xff\xff\x7f\x00\x00 won't solve the problem, as it will not overwrite the first 4 slots of the address.

Thanks to anyone that will try to help me.

Find elsewhere
🌐
YouTube
youtube.com › kyle jiang
Format String Exploit Demo (64-bit): Queen's Gambit - YouTube
Yet another demonstration of a format string bug in 64-bit Linux. In this exploit, the global offset table entry for exit is overwritten with the known addre...
Published   February 28, 2021
Views   960
🌐
Reddit
reddit.com › r/liveoverflow › 64-bit format string exploitation.
r/LiveOverflow on Reddit: 64-bit Format String Exploitation.
May 5, 2017 -

Hey LiveOverflow,

I've recently come across a few 64-bit Format String challenges in CTF's and they always seem to stump me. This is mainly because there seems to be very little on the web for 64-bit format strings exploitation (most is x86).

Are you aware of any content that could help me in learning how to pwn 64-bit format strings?

Thanks!

🌐
Stack Overflow
stackoverflow.com › questions › 30408045 › format-string-vulnerability-exploit-in-64-bits-systems
linux - Format string vulnerability exploit in 64 bits systems - Stack Overflow
September 12, 2016 - That is, you can't write zeroes into memory with this method, as the printf will treat any zeroes as end-of-string and will stop there. Thus the address where you want to write to must not have leading zero bytes. This issue is already mentioned in http://www.thenewsh.com/~newsham/format-string-attacks.pdf.
🌐
University of Virginia
cs.virginia.edu › ~cr4bd › 4630 › S2017 › slides › 20170322-slides-1up-animated.pdf pdf
1
April 1, 2017 - format string exploit pattern (x86-64) goal: write big 8-byte number at 0x1234567890ABCDEF: write 1000 (short) to address 0x1234567890ABCDEF · write 2000 (short) to address 0x1234567890ABCDF1 · buffer starts 16 bytes above printf return address · %c%c%c%c%c%c%c%c%c%c%c%.991u%hn%.1000u%hn…
🌐
Microsoft Learn
learn.microsoft.com › en-us › dotnet › standard › base-types › standard-numeric-format-strings
Standard numeric format strings - .NET | Microsoft Learn
To work around the problem of Double ... switches and run on 64-bit systems, you can format Double values by using the "G17" standard numeric format ......
🌐
Silicon Labs
community.silabs.com › s › question › 0D51M00007xeJNpSAM › printing-a-64bit-integer
printing a 64-bit integer
July 8, 2016 - If I use the "%lld" format specifier, the string just becomes "ld"... char buffer[255]; int64_t number = 9876543210; sprintf(buffer, "%lld", number); I have also tried what other have suggested here and use the PRI64d specifier which gives the ...
🌐
Stack Overflow
stackoverflow.com › questions › 61160923 › how-to-write-to-adresses-with-format-string-exploit-on-64bit
python - how to write to adresses with format string exploit on 64bit - Stack Overflow
April 12, 2020 - I did some 32bit format string exploits, and I wanted to get to 64bit. However I have the problem, that I can't/don*t know how to write to an adress on 64bit. I have an exploit x.py which should w...
🌐
Microsoft Learn
learn.microsoft.com › en-us › dotnet › api › system.uint64.tostring
UInt64.ToString Method (System) | Microsoft Learn
The ToString() method formats a UInt64 value in the default ("G", or general) format by using the NumberFormatInfo object of the current culture. If you want to specify a different format or culture, use the other overloads of the ToString method, ...
🌐
Microsoft Learn
learn.microsoft.com › en-us › cpp › c-runtime-library › format-specification-syntax-printf-and-wprintf-functions
Format Specification Syntax: `printf` and `wprintf` Functions | Microsoft Learn
The size field prefixes to the type field—hh, h, j, l (lowercase L), L, ll, t, w, z, I (uppercase i), I32, and I64—specify the "size" of the corresponding argument—long or short, 32-bit or 64-bit, single-byte character or wide character—depending on the conversion specifier that they modify. These size prefixes are used with type characters in the printf and wprintf families of functions to specify the interpretation of argument sizes, as shown in the following table. The size field is optional for some argument types. When no size prefix is specified, the formatter consumes integer arguments—for example, signed or unsigned char, short, int, long, and enumeration types—as 32-bit int types, and float, double, and long double floating-point arguments are consumed as 64-bit double types.
🌐
Wikipedia
en.wikipedia.org › wiki › Base64
Base64 - Wikipedia
1 week ago - Base64URL encoding replaces + with ... encoded string HTTP-safe and avoid the need for escaping. To simplify explanation, the example below uses plain text for input. While this is done in practice, a much more common use is encoding images and other data that are normally not representable with plain text, and the result then represents the data in a printable text format. ... Many hands make light work. ... Each input sequence of 6 bits (which can encode 26 = 64 values) is ...
🌐
DEF CON
defcon.org › images › defcon-18 › dc-18-presentations › Haas › DEFCON-18-Haas-Adv-Format-String-Attacks.pdf pdf
Advanced Format String Attacks Presented by Paul Haas
The largest hacking and security conference with presentations, workshops, contests, villages and the premier Capture The Flag Contest.
🌐
Unipi
lettieri.iet.unipi.it › hacking › format-strings.pdf pdf
8. Format Strings The a’s at the beginning are just for alignment, the %u’s
October 18, 2023 - lines contains the stack canary. On 32-bit systems the canary can be read with %x, but on 64-bit you · need %lx, because %x will only read 4 bytes in both systems. Exercise 8.2 — canary0. Steal the canary and then the flag from challenge canary0. ... Chapter 8. Format Strings