🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
In this case, if a Format String parameter, like %x, is inserted into the posted data, the string is parsed by the Format Function, and the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack. In this way, it is possible to define a well-crafted input that could change the behavior of the format function, permitting the attacker to cause denial of service or to execute arbitrary commands.
🌐
Stack Overflow
stackoverflow.com › questions › 33718072 › how-to-overwrite-variable-with-format-string-attack
c - How to overwrite variable with format string attack - Stack Overflow
This question is not about a buffer overflow, but about uncontrolled format string, which might let printf wreak havoc memorywise. And the code clearly has a vulnerability a user could exploit. 2015-11-15T17:56:23.597Z+00:00 ... @mooeeeep, as you say, might, but not guaranteed/deterministic. You could enter an input with lots of format specifiers like %s%d%.*f but you can't guarantee that will overwrite the global variable x.
Discussions

c - How to exploit variable's value - Information Security Stack Exchange
However, there is a string format vulnerability here: ... The user-controlled variable buf is used in a printf statement, causing a format string vulnerability. More on security.stackexchange.com
🌐 security.stackexchange.com
December 1, 2017
c - How to use Format String Attack - Stack Overflow
Assume I have the following code: #include #include #include int num1 = 0; int main(int argc, char **argv){ double num2; int *ptr = &... More on stackoverflow.com
🌐 stackoverflow.com
How exactly do format string vulnerabilities works [C]?
The idea is that you are advancing printf's stack pointer internally towards a memory location with our payload. Internally printf has a stack of arguments that are passed into. Using %x you can advance down the stack until you get to the right location in memory (looks like it's 0x988 in this case). Once you put the stack pointer at that location you use %n to write some data into memory. This is basically where we launch our attack and try to take over, the next instruction becomes our payload after printf and exploit() starts running at that point. The first link below has a good explanation of how the stack pointer is advanced towards the payload and the second goes a little more in-depth on how the attack works at the assembly/memory level. http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html The short story is you're abusing the fact that memory is contiguous as far as your app is concerned to predict where important variables are in memory and then further abusing how printf works to force it to write over it's own stack. You can fire up GDB and use the j, x, set and disas commands (among others) to take a peek at the assembly of a running program and mess around with it if you're so inclined. More on reddit.com
🌐 r/learnprogramming
6
1
June 14, 2017
Format string attack

As you found, %x will pop bytes off the call stack. %08x will print 4 bytes and you can enter multiples of these to walk up the stack.

You now have addresses on the stack and you can print the contents of that memory with %s.

By chance have you tried %n? It should cause a write.

Check this paper for more info https://cs155.stanford.edu/papers/formatstring-1.2.pdf

More on reddit.com
🌐 r/HowToHack
1
7
January 30, 2022
🌐
BreakInSecurity
axcheron.github.io › exploit-101-format-strings
Exploit 101 - Format Strings - BreakInSecurity
April 22, 2018 - $ objdump -R format4 format4: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049888 R_386_GLOB_DAT __gmon_start__ 0804988c R_386_GLOB_DAT stdin@GLIBC_2.0 0804989c R_386_JUMP_SLOT printf@GLIBC_2.0 080498a0 R_386_JUMP_SLOT _exit@GLIBC_2.0 080498a4 R_386_JUMP_SLOT fgets@GLIBC_2.0 080498a8 R_386_JUMP_SLOT puts@GLIBC_2.0 080498ac R_386_JUMP_SLOT exit@GLIBC_2.0 # Address of exit() 080498b0 R_386_JUMP_SLOT __libc_start_main@GLIBC_2.0 $ objdump -t format4 | grep hello 080484cb g F .text 0000002e hello · We have to change the value pointed by 080498ac (exit()) with the address of hello(): 080484cb. Now, concerning the position of our string, it’s the 4th parameters on the stack :
🌐
Hacking Lab
hackinglab.cz › en › blog › format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - This is where aligning the numbers ... help the attacker. This trick can be noticed e.g. in the %x parameter, where addresses are aligned to 8 characters using x. It is also possible to insert a number before other formatting parameters, for example %u [1], [6]. The example below shows an example of changing the value of a variable at a known ...
🌐
Digipen
faculty.digipen.edu › ~dvolper › copies › tn-usfs.pdf pdf
white paper Format String Attacks Tim Newsham Guardent, Inc. September 2000
It is time to step up our attack from passive probes to actively · altering the state of the program. Remember that variable "x"? Let’s try to change its value. To do · this, we will have to enter its address into one of snprintf's arguments. We will then have to skip · over the first argument to snprintf, which is the variable x, and finally, use a "%n" format to write
🌐
HackMD
hackmd.io › @mtQDQ4d_RYymMseu0Sphhw › SyBQEyxv5
Format String Attack - HackMD
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180The target variable's value (after): 0x00005000 server-10.9.0.5 | (^_^)(^_^) Returned properly (^_^)(^_^) ``` ##### Task 3.C: A much bigger number > Change the value to 0xAABBCCDD. This sub-task is similar to the previous one, except that the target value is now a large number. In a format string attack, this value is the total number of characters that are printed out by the printf() function; printing out this large number of characters may take hours.
🌐
Null Byte
null-byte.wonderhowto.com › how-to › exploit-development-write-specific-values-memory-with-format-string-exploitation-0182112
Exploit Development: How to Write Specific Values to Memory with Format String Exploitation :: Null Byte
March 9, 2018 - That format specifier was already giving us a string that is 8 bytes long. This means we were only adding 16930032 bytes to the length of the entire string. Oops. This is an easy fix though. All we have to do is change 930040x to 930048x. This will give us the correct number of bytes to overwrite the target variable with the value we want.
Top answer
1 of 2
6

You are right that the buffer cannot overflow the flag because of the bounds check. Fgets also includes the null character in its bound check.
http://www.cplusplus.com/reference/cstdio/fgets/

However, there is a string format vulnerability here:

printf(buf);

The user-controlled variable buf is used in a printf statement, causing a format string vulnerability.

https://www.exploit-db.com/docs/28476.pdf

Using a combination of %x %n you can overwrite the flag with "1337." %x is used to pop values off the stack, and %n is used to write the number of characters into that address. The "1337u" expands the number of characters so you can write the correct value. For example, if the memory location of flag is "0xffffff80"

$(python -c 'print "\x80\xff\xff\xff"+"%x%1337u%n"')

This will write a number that is greater than 1337 because of the other stuff before the "1337u," so you just subtract that number by the amount you go overboard, and you'll have the right number. Or, if you want to do some math, the value of "u" is: “The byte to be written” – “the outputted byte” + “the width of the %x specified just before the %n”

2 of 2
2

flag is not local to any function and global in scope. Therefore, it is not located on the runtime stack. Either patch the binary or take advantage of the fact that input to buf is not sanitized and that buf an argument to printf (manipulate the value of the format string argument such that 1337 is written to address 0x601084).


flag is a statically allocated variable whose value will be stored in the data or bss segment of the process rather than in the runtime stack. If you have access to the binary you can simply patch it such that the value 1337 is stored at address 0x601084, which should be in the .data or .bss section. Since here global variable flag is initialized to 0, it will likely be in the .bss section of the binary and the bss segment of the process (this would not be the case if it was initialized to some other value).

Even if one did not know how the compiler allocates memory for variables based on their location in the source code, one could still determine that flag is not stored on the runtime stack by comparing its address with that of the stack pointer %rsp: location 0x601084 is far lower in memory than 0x7fffffffdaf0.

Find elsewhere
🌐
YouTube
youtube.com › dg
Demo on exploiting a format string vulnerability - YouTube
How can we change the state of a variable? If the program has a format string vulnerability we can indeed modify the state and change the control flow of the...
Published   January 20, 2020
Views   1K
🌐
MIT CSAIL
people.csail.mit.edu › alinush › cse409-fall-2011 › 07-format-string-attacks.pdf pdf
Format string attacks
September 26, 2011 - in the format string into the variable cnt. In this case, the number of bytes outputted until that point would be ... Even if the buffer given to snprintf is too small, snprintf will still report the bytes that would have been · written up to a certain point in the %n variables. Conclusion: If an attacker has control over the format-string argument of printf then maybe he can get printf to do
🌐
Exploit-DB
exploit-db.com › docs › english › 28476-linux-format-string-exploitation.pdf pdf
Format String Exploitation-Tutorial By Saif El-Sherei www.elsherei.com
Format strings vulnerability exists in most of the printf family below is some. ... What the Hell Happened there…. Well in vulnerable program “fmt_wrong” the argument is passed directly to the “printf” function. And the function didn’t find a corresponding variable or value on stack so it will start poping values
🌐
Tripwire
tripwire.com › home › blog › vert vuln school: format string attacks 101
VERT Vuln School: Format String Attacks 101
March 22, 2015 - Now, instead of printing out the hex representation of "aaaa" it's printing out the hex representation of the address of the ret variable. Let's look at what happens when we change the last %x to %n: ... We've written 40 into ret! Since %n writes the number of bytes printed let's tweak our format string to write a different value. ... Using direct parameter access we've written a small value into ret. Using a 4 byte target address in this way, printf() first prints the address itself and %n gets incremented as that happens. By tweaking our attack string to use a slightly different address we can write 1 into ret:
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - The interesting part is in the second execution, where we pass $(printf "\x2c\xc0\x04\x08").x.x.x.%n as input (the dots are just to make the output clearer). As a result, we overwrite the test_val variable. How is that possible? Let’s see. The format string is crafted to accomplish three things.
🌐
Kayssel
kayssel.com › post › format-string
Mastering Format String Exploits: A Comprehensive Guide
January 7, 2024 - Inside, variables like local_var, str, and to_print are not just random data; they’re key players setting the stage for our vulnerability exploration. ... gcc -m32 -no-pie -fno-stack-protector -ggdb -mpreferred-stack-boundary=2 -z execstack -o formatstring formatstring.c ... Under normal circumstances, what you type is what you get on the screen. But what if we spice things up a bit? Enter %s or %x as format strings, and suddenly, printf unveils either to_print’s content or its memory address.
🌐
Tum
sec.in.tum.de › i20 › publications › blind-format-string-attacks › @@download › file › formatstring.pdf pdf
Blind Format String Attacks Fatih Kilic, Thomas Kittel, and Claudia Eckert
The attack consists of three format string overwrites that use · the pointers in EBP. Note that the linked list of saved frame pointers is corrupted by this attack. An attacker may, nevertheless, reconstruct it after he is able to execute his · own code, if it is required. This is only the case if the function is using local · variables after the overwrite and before the return. Otherwise the application · ow is changed and the attacker succeeded.
🌐
Medium
nikhilh20.medium.com › format-string-exploit-ccefad8fd66b
Format String Exploit. One of the most commonly used functions… | by ka1d0 | Medium
February 12, 2019 - We will evaluate any format string you give us with printf(). See if you can get the flag! ... Notice that I’ve tried only those addresses that look like they belong to an auto variable.
🌐
Codearcana
codearcana.com › posts › 2013 › 05 › 02 › introduction-to-format-string-exploits.html
Introduction to format string exploits
May 2, 2013 - (gdb) unset env Delete all environment variables? (y or n) y (gdb) r "$(/usr/bin/python -c 'print "my_exploit_string"')" The most helpful thing to do in gdb is to break just before the call to printf and make sure the argument and the stack stack is what you expect (if you expect to use $hn, make sure the value you control is the 10th argument after the format ...
🌐
GitHub
github.com › VulnHub › ctf-writeups › blob › master › 2016 › angstrom-ctf › format-1.md
ctf-writeups/2016/angstrom-ctf/format-1.md at master · VulnHub/ctf-writeups
This program is vulnerable to a format string attack! Try supplying a format string to overwrite a global variable and get a shell!
Author   VulnHub
🌐
Fengweiz
fengweiz.github.io › 20fa-cs315 › labs › lab3-slides-format-string.pdf pdf
Format-String Vulnerability Instructor: Fengwei Zhang 1 SUSTech
●printf() parses the format string. ●For each %s, it fetches a value where va_list points to · and advances va_list to the next position. ●As we give %s, printf() treats the value as address and · fetches data from that address. If the value is not a · valid address, the program crashes. 13 · Attack 2 : Print Out Data on the Stack · ●Suppose a variable ...
Top answer
1 of 1
9

First of all I recommend that you read the book Hacking: The Art of Exploitation. It is very good.

Now I try to explain how you can exploit your program. I assume that you know some basics about Format String Exploits, so I don't have to start from the very beginning. However it is important to disable ASLR and compile the executable without stack protection.

# disable ASLR
@> echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
# compile without stack protection
@> gcc -g -fno-stack-protector -z execstack fmt.c 

I modified your program a little bit, so it is easier to understand how the exploit works:

#include <stdio.h>

int num1 = 0xdead;

int main(int argc, char **argv){
    int num2 = 0xbeef;
    int *ptr = &num1;
    printf(argv[1]);

    if (num1 == 0xabc){
        printf("Well done");
    }
    if(num2 == 0xdef)
        printf("You are a format string expert");

    printf("\n[DEBUG] num1: 0x%x [%p] num2: 0x%x [%p]\n", num1, &num1, num2, &num2);
    return 0;
}

I am using a 64-Bit Ubunty System. The pointer size is 8 bytes.

The Exploit

variable num1

First we try to change the variable num1. The address of num1 is stored in ptr. ptr is a local variable in main, so it is put on the stack (type int*). To examine the stack we can use the %p format specifier.

@> ./a.out %p.%p.%p.%p.%p.%p.%p.%p.%p

Output:

0x7fffffffdf78.0x7fffffffdf90.(nil).0x7ffff7dd4e80.0x7ffff7dea560.0x7fffffffdf78.0x200400440.0xbeefffffdf70.0x601040
[DEBUG] num1: 0xdead [0x601040] num2: 0xbeef [0x7fffffffde84]

We can see that the 9th element has the value 0x601040. That is the same like the value in our debug message num1: 0xdead [0x601040]. Now we know that 0x601040 is the pointer to the variable num1 and it is located on the stack. To change that value (write in memory) we can use the %n format specifier in combination with the Direct Parameter Access %9$n to write to the address that is stored in the 9th stack position.

To gain access to the Well done message we only need to write 0xabc values to stdout and use %n to write that number in memory:

@> ./a.out `python -c "print('A' * 0xabc)"`%9\$n

I use python to generate that output. Now the program prints "Well done".

variable num2

If we take a close look to the output we see that the 8th element has the value beef. That is our variable num2. I still did not figure out, how to exploit num2 but I try to explain how to do it in theory. We want to put an arbitrary memory address on the stack. This address should be the address that points to num2 (0x7fffffffde84). After that we can use the %n parameter to write to that address. To put an address on the stack we can use the format string.

@> ./a.out `printf "\x08\x07\x06\x05\x04\x03\x02\x01"`

The problem is that we have to find the location of this format string on the stack.

@> ./a.out AAAA`printf "\x08\x07\x06\x05\x04\x03\x02\x01"`BBBB`python -c "print('%p.' * 200)"`

The 'A's and 'B's are just padding and it is also easier to find our address in the output. The exploit looks similar to the num1 exploit way:

@> ./a.out ADDRESS`python -c "print('A' * VAL_TO_WRITE)"`PADDING%LOCATION_OF_ADDRESS\$n

The problem: In our scenario the address of num2 is 0x7fffffffde84 (that is 0x00007fffffffde84). That address can not be written because 0x00 is the C-String Terminator. So we can not put the address in our format string.