If you're not using str anywhere after then it's just that the garbage collector has not run so the memory that should be released hasn't been collected yet. This is probably because Java doesn't need it (since it has some reserve pages left) yet as Java has to use a certain amount of memory before it starts reclaiming memory since running the garbage collector is an expensive task.

Answer from Jesus Ramos on Stack Overflow
Top answer
1 of 1
4

@LiveOverflow helped me figuring out what I couldn't get. Both the assumptions I had were true

  1. printf simply prints what ever isn't a '%' and treats in a special way charcters following '%'
  2. Formatters (%x, %s, '%n, etc...) ONLY use addresses found on the stack (what I mean is that if we start popping off values using %x, those values will be popped of on the stack as long as valid addresses are available

Now in the code in the question, supplying an address as first argument is not enough, we have to somehow put on the stack the address we want to read/write from/to

example:

vuln.c (gcc -g vuln.c -m32 -o vuln):

#include <stdio.h>

int main (int argc, char ** argv) {

    buffer[32];

    fgets (buffer, sizeof(buffer), stdin);

    printf (buffer);

    return 0;
}

We can do by calling the program with an argument ./vuln AAAA. When asked for input we can insert there our format string. Here's the catch: we have to pop values off until we find our AAAA, after %s would dereference the address AAAA and read a string from there aka leaking an arbitrary address. Writing to an address works in the same exact way.

For the sake of simplicity I compiled it with -g so that I could use the *argv symbol

pwndbg> x/4s *argv
0xffffd258: "/home/ncrntn/vu"...
0xffffd267: "ln"
0xffffd26a: "AAAA"
0xffffd26f: "XDG_CONFIG_DIRS"...

At this point we know where to look at

pwndbg> x/200wx $esp
. . .
0xffffd260: 0x6e746e72  0x6c75762f  0x4141006e  0x58004141
. . .

And we indeed found our AAAA (in hex \x41\x41\x41\x41)

🌐
Bi0s
wiki.bi0s.in › pwning › format-string › leak
Leaking Memory - bi0s wiki
In the previous example we gave %p%p%p%p%p%p%s as the input to get the leak. There is a different way of giving the same input. We can give it as %7$s, this prints whatever is there in the 7th offset from top of stack. This can come in handy when we go to the next section. If you are using a 64bit binary, the offset changes since we have some registers which are used before using the stack ... printf() should be used along with the format specifier.
🌐
Malauch
malauch.com › posts › formatting-string-with-c-format-specifier-leaks-memory
Formatting string with C Format Specifiers leaks memory | Malauch’s Swift Notes
There are two main solutions to prevent memory leak. String(format: "d:d.d", 1, 2, 3) // "01:02.003" - leaks memory.
🌐
Medium
nikhilh20.medium.com › format-string-exploit-ccefad8fd66b
Format String Exploit. One of the most commonly used functions… | by ka1d0 | Medium
February 12, 2019 - However, even this seemingly simple function can be exploited if programmers are careless. In this post, we'll look at a vulnerability called the Format String Vulnerability. It causes a memory leak in the program stack.
🌐
Unity
forum.unity.com › unity engine
string.Format("ABCDE") -> memory leak? - Unity Engine - Unity Discussions
December 12, 2009 - How do you suggest they generate a dynamically sized string without allocating on the heap · String.Format is slow, but WAY better on iPhone that concatenating Strings on the fly at runtime. String addition without String.Format chews through memory very very quickly
🌐
Infosec Institute
resources.infosecinstitute.com › topic › how-to-exploit-format-string-vulnerabilities
How to exploit format string vulnerabilities - Infosec Resources
September 21, 2020 - We managed to successfully leak the secret string from the stack by using a format string vulnerability in the target binary. In the previous section, we used %9$s as our format specifier and dumped the secret string from the stack. This technique worked because 9th value is a valid address that is pointing to our secret string. If we try to access an invalid memory location in a similar fashion, that will cause a segmentation fault leading to crashing the program.
Find elsewhere
🌐
Boost
svn.boost.org › trac10 › ticket › 7379
#7379 (Boost Format strings causing memory leaks) – Boost C++ Libraries
No, the format string is correct. The "%N$" syntax means to read the Nth argument instead of processing the arguments sequentially. I am unable to reproduce this issue using valgrind by adding the following test to format_test_wstring.cpp: diff --git a/test/format_test_wstring.cpp b/test/format_test_wstring.cpp index c30f740..4f9a871 100644 --- a/test/format_test_wstring.cpp +++ b/test/format_test_wstring.cpp @@ -29,8 +29,16 @@ int test_main(int, char* []) BOOST_ERROR("Basic w-parsing Failed"); if(str( wformat(L"%%##%#x ##%%1 %s00") % 20 % L"Escaped OK" ) != L"%##0x14 ##%1 Escaped OK00") BOOST
🌐
made0x78 Security
made0x78.com › bseries-how-to-leak-data
Binary Exploitation Series (5): How to leak data? - made0x78 Security
November 30, 2018 - I often read the question “How to leak data?” and I will try to give you some basic ideas on how to get some information about a target (binary, memory layout). If you have a format string vulnerability in the given binary you can abuse that vulnerability to leak a lot of information about ...
🌐
GitHub
github.com › draios › sysdig › issues › 693
Memory leak when format string ends with non-filtercheck · Issue #693 · draios/sysdig
December 5, 2016 - While investigating falcosecurity/falco#156, I noticed that there's a memory leak in sinsp_evt_formatter when the format string ends with characters that aren't part of a filtercheck specification: if(last_nontoken_str_start != j) { m_to...
Author   draios
🌐
Infosec Institute
infosecinstitute.com › resources › secure-coding › format-string-vulnerabilities-exploitation-case-study
Format String Vulnerabilities Exploitation Case Study | Infosec
This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as using memory leak vulnerabilities. ... Now that we understood how stack canaries work, let us discuss how we can bypass stack canaries and exploit the buffer overflow vulnerability. We are going to use the same vulnerable program for this exercise. ... The preceding program is vulnerable to two different vulnerabilities. ... We will make use of the format string vulnerability to leak the stack canary and Stack Based Buffer Overflow to take control of the RIP register.
🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family. The format argument has many different specifiers which could allow an attacker to leak data if they control the format argument to printf.
🌐
Security Boulevard
securityboulevard.com › home › security bloggers network › format string vulnerabilities exploitation case study
Format String Vulnerabilities Exploitation Case Study - Security Boulevard
September 30, 2020 - This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as using memory leak vulnerabilities. ... Now that we understood how stack canaries work, let us discuss how we can bypass stack canaries and exploit the buffer overflow vulnerability. We are going to use the same vulnerable program for this exercise. The preceding program is vulnerable to two different vulnerabilities. ... We will make use of the format string vulnerability to leak the stack canary and Stack Based Buffer Overflow to take control of the RIP register.
🌐
Infosec Institute
infosecinstitute.com › resources › secure-coding › how-to-exploit-format-string-vulnerabilities
How to exploit format string vulnerabilities | Infosec
September 21, 2020 - We managed to successfully leak the secret string from the stack by using a format string vulnerability in the target binary. In the previous section, we used %9$s as our format specifier and dumped the secret string from the stack. This technique worked because 9th value is a valid address that is pointing to our secret string. If we try to access an invalid memory location in a similar fashion, that will cause a segmentation fault leading to crashing the program.
🌐
Unipi
lettieri.iet.unipi.it › hacking › format-strings.pdf pdf
8. Format Strings The a’s at the beginning are just for alignment, the %u’s
October 18, 2023 - The first check limits the range of argument slots that can be reached by a forged format string, and · the second one tries to prevent arbitrary memory write exploits.