🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, ...
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - The vulnerable line of code is: printf(text). Notice that it will print whatever the user feeds to it as input. We can pass any format string that we want. Before continuing, let’s see how to compile the program. gcc fmt_vuln.c -o fmt.out -fno-stack-protector -no-pie -m32 ... Let’s continue with the exploit. The following image shows two executions.
🌐
Medium
medium.com › swlh › binary-exploitation-format-string-vulnerabilities-70edd501c5be
Binary Exploitation: Format String Vulnerabilities | by Vickie Li | The Startup | Medium
September 10, 2020 - This can allow the attacker to overwrite return addresses, function pointers, the global offset table (GOT), and the destructor table (DTORS), thereby hijacking the flow of the program and execute arbitrary code. Since function arguments for %s are passed by reference, for each %s in the format string, the function will retrieve a value from the stack, treat the value as an address, and print out the string stored at that address.
🌐
Hacking Lab
hackinglab.cz › en › blog › format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - The attacker only needs to get enough formatting parameters into the format string so that one of them points to an invalid address. On almost all UNIX systems, access to an invalid address is caught by the kernel, and the process receives the SIGSEV signal – segmentation fault, and the execution is terminated [2], [3], [5].
type of software vulnerability
Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a … Wikipedia
🌐
Wikipedia
en.wikipedia.org › wiki › Uncontrolled_format_string
Uncontrolled format string - Wikipedia
December 21, 2025 - Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user ...
🌐
Gts3
tc.gts3.org › cs6265 › tut › tut05-fmtstr.html
Tut05: Format String Vulnerability - CS6265: Information Security Lab
Your task for today is to launch a control-hijacking attack using this format string vulnerability. The plan is simple: overwrite the GOT of puts() with the address of print_key(), so that when puts() is invoked, execution is actually redirected to print_key().
Top answer
1 of 6
98

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:


Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.


Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

2 of 6
21

It is interesting that no-one has mentioned the n$ notation supported by POSIX. If you can control the format string as the attacker, you can use notations such as:

"%200$p"

to read the 200th item on the stack (if there is one). The intention is that you should list all the n$ numbers from 1 to the maximum, and it provides a way of resequencing how the parameters appear in a format string, which is handy when dealing with I18N (L10N, G11N, M18N*).

However, some (probably most) systems are somewhat lackadaisical about how they validate the n$ values and this can lead to abuse by attackers who can control the format string. Combined with the %n format specifier, this can lead to writing at pointer locations.


* The acronyms I18N, L10N, G11N and M18N are for internationalization, localization, globalization, and multinationalization respectively. The number represents the number of omitted letters.

Find elsewhere
🌐
BreakInSecurity
axcheron.github.io › exploit-101-format-strings
Exploit 101 - Format Strings - BreakInSecurity
April 22, 2018 - First, let’s run the executable. user@gdb:~$ ./format0 %p 0xbffff67e does not have access! Here, the %p prints the first argument printf() will find on the stack. Let’s take a look at the stack before calling printf(). [-------------------------------------code-------------------------------------] 0x400737 <main+167>: sub esp,0xc 0x40073a <main+170>: lea eax,[ebp-0x7a] 0x40073d <main+173>: push eax => 0x40073e <main+174>: call 0x4004a0 <printf@plt> 0x400743 <main+179>: add esp,0x10 0x400746 <main+182>: sub esp,0xc 0x400749 <main+185>: lea eax,[ebx-0x1257] 0x40074f <main+191>: push eax Gue
🌐
Invicti
invicti.com › blog › web-security › format-string-vulnerabilities
What Are Format String Vulnerabilities?
Depending on the language, format string vulnerabilities can allow attackers to execute arbitrary code or manipulate program flow, which can result in compromising sensitive data, disrupting services, or gaining unauthorized access.
🌐
Medium
infosecwriteups.com › exploiting-format-string-vulnerability-97e3d588da1b
EXPLOITING FORMAT STRING VULNERABILITY | by AidenPearce369 | InfoSec Write-ups
January 18, 2024 - By Format String vulnerability, an attacker can execute code, read the stack values, or cause a segmentation fault in the application
🌐
Beagle Security
beaglesecurity.com › blog › vulnerability › format-string-vulnerability.html
Format String Vulnerability
October 20, 2023 - Attackers can manipulate the format string to overwrite function pointers or return addresses on the stack, allowing them to execute malicious code of their choice. A poorly handled format string can cause a program to crash or enter an infinite ...
🌐
Synacktiv
synacktiv.com › en › publications › exploiting-a-blind-format-string-vulnerability-in-modern-binaries-a-case-study-from
Exploiting a Blind Format String Vulnerability in Modern Binaries: A
Once we achieved arbitrary write access on the stack, we began constructing our ROP chain within unused space in the stack frame of the vulnerable function. This area is never touched, making it an ideal location for our exploit. Additionally, it was close enough to be accessed with a stack adjustment gadget, allowing us to execute our ROP chain. Using the format string specifier %*X$c, we could read a value at a specific stack offset (such as the return address) and store it in the internal "character counter".
🌐
NVISO Labs
blog.nviso.eu › 2024 › 05 › 23 › format-string-exploitation-a-hands-on-exploration-for-linux
Format String Exploitation: A Hands-On Exploration for Linux – NVISO Labs
May 23, 2024 - Even though the source code already indicates that our input is unsafely processed and parsed as an argument for the printf() function, we can verify that we have a format string vulnerability here by providing %p as input, which should read a value as a pointer and print it back to us: # Executing the binary ./format-string-3 Howdy gamers!
🌐
Barrebas
barrebas.github.io › blog › 2015 › 02 › 22 › maximum-overkill-two-from-format-string-vulnerability-to-remote-code-execution
Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution - staring into /dev/null
This was a story of how a single format string vulnerability was beaten into arbitrary code execution. The exploit bypasses ASLR and NX via ROP, and finally sends over shellcode which will be executed. The CTF challenge was not designed with this in mind, but it was a fun exercise (and a potential ...
🌐
Vickieli
vickieli.dev › binary exploitation › format-string-vulnerabilities
Format String Vulnerabilities - Vickie Li’s Security Blog
August 9, 2020 - This can allow the attacker to overwrite return addresses, function pointers, the global offset table (GOT), and the destructor table (DTORS), thereby hijacking the flow of the program and execute arbitrary code. Since function arguments for %s are passed by reference, for each %s in the format string, the function will retrieve a value from the stack, treat the value as an address, and print out the string stored at that address.
🌐
MCSI Library
library.mosse-institute.com › articles › 2022 › 06 › linux-exploitation-format-string-vulnerabilities-and-exploitation › linux-exploitation-format-string-vulnerabilities-and-exploitation.html
Linux Exploitation: Format String Vulnerabilities and Exploitation — MCSI Library
A format string vulnerability is a type of software bug that can be exploited to crash a program or execute arbitrary code. The bug occurs when the programmer uses the wrong format specifier in a printf()-style function. This can cause the function to print out sensitive data from memory, or ...
🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
For example, if we can make the format argument "%x.%x.%x.%x", printf will pop off four stack values and print them in hexadecimal, potentially leaking sensitive information. printf can also index to an arbitrary "argument" with the following syntax: "%n$x" (where n is the decimal index of the argument you want). While these bugs are powerful, they're very rare nowadays, as all modern compilers warn when printf is called with a non-constant string.
🌐
Ostorlab
docs.ostorlab.co › kb › FORMAT_STRING › index.html
Format String Vulnerability
Denial of Service (DoS): A format string vulnerability can be manipulated by an attacker to crash the program or induce it into an infinite loop. This type of attack results in a denial of service (DoS), rendering the system or application inaccessible to legitimate users.