CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family.
Medium
medium.com › @fahimalshihabifty › bcs-ctf-2025-exploiting-format-string-vulnerabilities-f6dcad98f314
BCS CTF 2025: Exploiting Format String Vulnerabilities | by Md Fahim Al Shihab | Medium
March 5, 2025 - void blackbox(char *input) { printf(input); // Format string vulnerability here if (brocode == 0x4ADF070F) { system("cat flag.txt"); // Goal: Trigger this branch } else { puts("You cannot enter as brocode"); } } int main() { char name[1048]; setbuf(stdout, NULL); setbuf(stdin, NULL); setbuf(stderr, NULL); printf("Enter name: "); fgets(name, sizeof(name), stdin); blackbox(name); return 0; }
Videos
- YouTube
00:34
PicoCTF 2018 - strings - YouTube
00:55
2020 Update - picoCTF 2019 | General Skills - Strings It Solution ...
03:03
Image Strings | Ryan's CTF [07] "Stenography" - YouTube
09:40
Learning CTF: PicoCTF 2017 [08] Loooong (Python Strings) - YouTube
16:31
Intro Format String Vulnerability | PicoCTF 2017 [39] "I've Got ...
picoCTF Solutions
picoctfsolutions.com › posts › format-string-ctf
Format String Vulnerabilities for CTF Binary Exploitation | picoCTF Solutions
April 12, 2026 - If printf("%s", buf) is used instead, the input is always treated as a plain string and no specifiers are interpreted. Send %x specifiers to dump stack values as hex integers. Each %x consumes one word from the stack: ... Use %p instead of %x to get pointer-width output with a 0x prefix, which is cleaner on 64-bit systems: ... If you want to read from a specific stack offset without cycling through all the preceding ones, use the positional argument syntax %N$x where N is the index: $ echo '%6$x' | ./vulnerable # read the 6th stack word
YouTube
youtube.com › watch
Format String Vulnerability Explained | CTF Walkthrough - YouTube
In this video walk-through, we covered a binary vulnerable to format string vulnerability in which the vulnerable code contains an implementation of printf s...
Published October 14, 2023
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_example
Format String Vulnerability Example - CTF Wiki EN
It's easy to understand that we're going to use the format string vulnerability to hijack the return address of the program to the address we want to execute. Here we take [three white hat-pwnme_k0] (https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/fmtstr/three white hats-pwnme_k0) as an example for analysis.
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_intro
Format String Vulnerability Principle - CTF Wiki EN
For example, '%s' indicates that we will output a string argument.
CTFtime.org
ctftime.org › writeup › 26750
CTFtime.org / BlueHens CTF 2021 / ForMatt Zelinsky / Writeup
March 19, 2021 - # We now use the format string vulnerability to write and execute a ropchain # Overwrite EIP with whatever we want and use it to leak LIBC. # In order to leak libc we execute puts with a function's GOT entry address as an argument. # This way puts will print out, as a string, the address of ...
CTFtime.org
ctftime.org › writeup › 30554
CTFtime.org / PBjar CTF '21 / Curve / Writeup
) = 6 puts("Input 2:"Input 2: ) = 9 read(0BBBB , "BBBB\n", 128) = 5 puts("\nInput 3:" Input 3: ) = 10 read(0CCCC , "CCCC\n", 128) = 5 printf("CCCC\n"CCCC ) = 5 free(0x55db2ad8d2a0) = <void> puts("\nLol how could inputting strings"... Lol how could inputting strings stop the central finite curve. ) = 64 +++ exited (status 0) +++ ``` It is clear that there is a format string vulnerability on the third input.
Reddit
reddit.com › r/securityctf › format string vulnerability explained | hackthebox leet test
r/securityCTF on Reddit: Format String Vulnerability Explained | HackTheBox Leet Test
October 14, 2023 -
We covered a binary vulnerable to format string vulnerability in which the vulnerable code contains an implementation of printf statement that takes the user input directly as an argument without input filtering or validation. This leads the attacker to submit format string specifiers such as %x, %n or %p to leak or even modify values on the stack.
Video is here
Writeup is here
CTFtime.org
ctftime.org › writeup › 37314
CTFtime.org / n00bzCTF 2023 / Strings / Writeup
Decompiling ``main2()``, we can see that it prints a global buffer ``fake_flag``, again introducing another format string vulnerability. We can see that the real flag is read into the ``local_38`` buffer. The idea for the solution would be to first use ``%n`` to rewrite ``fake_flag`` to ``%s``, so it prints out the real flag.
GitHub
github.com › VulnHub › ctf-writeups › blob › master › 2016 › angstrom-ctf › format-1.md
ctf-writeups/2016/angstrom-ctf/format-1.md at master · VulnHub/ctf-writeups
This program is vulnerable to a format string attack! Try supplying a format string to overwrite a global variable and get a shell!
Author VulnHub
Readthedocs
formatstringexploiter.readthedocs.io › en › latest › examples › hacker_level.html
CAMP CTF 2015: Hacker Level — formatStringExploiter 0.1 documentation
This program is clearly vulnerable to a format string attack. Further, to get to the winning path it checks a global variable against the value 0xCCC31337.
DeepWiki
deepwiki.com › Crypto-Cat › CTF › 2.2-format-string-vulnerabilities
Format String Vulnerabilities | Crypto-Cat/CTF | DeepWiki
Format string vulnerabilities occur when a program passes user-controlled data as the format string parameter to functions like printf(), fprintf(), sprintf(), etc. These functions interpret format specifiers (such as %s, %d, %x, %n) within the format string to determine how to process subsequent ...
CTFtime.org
ctftime.org › writeup › 16273
WRITEUP BLACK ECHO (blind format string)
CTF events / redpwnCTF 2019 / Tasks / Black Echo / Writeup · by bytevsbyte / beerpwn · Rating: 5.0 · # WRITEUP BLACK ECHO (blind format string) ## __Author:__ bytevsbyte @ beerpwn team · There wasn't any executable to download, just a service running on the server.\ When I tried to connect with netcat and send some bytes, the server replied echoing my input.\ Then I sent some "%p" to check if it was a format string vulnerability.
Stack Overflow
stackoverflow.com › questions › 65157505 › need-help-on-format-string-vulnerability
c - Need help on format string vulnerability - Stack Overflow
December 5, 2020 - #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char **argv){ int i = 1; char buffer[64]; snprintf(buffer, sizeof buffer, argv[1]); buffer[sizeof (buffer) - 1] = 0; printf("Change i's value from 1 -> 500. "); if(i==500){ printf("GOOD\n"); setreuid(geteuid(),geteuid()); system("/bin/sh"); } printf("No way...let me give you a hint!\n"); printf("buffer : [%s] (%d)\n", buffer, strlen(buffer)); printf ("i = %d (%p)\n", i, &i); return 0; } Hi! I'm working on ctf exercise(Overthewire 5 level, Narnia).
tripoloski blog
tripoloski1337.github.io › ctf › 2020 › 06 › 11 › format-string-bug.html
Exploiting Format String bug | tripoloski blog
June 11, 2020 - Offensive Security Engineer, I blog about Cyber security, CTF writeup, Programming, Blockchain and more about tech. born and raised in indonesia, currently living in indonesia Posts About ... did you know , we can write something on memory by using printf ? yes we can. in this post i will try to explain how printf works and how we can exploit format string vulnerability on printf()