🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family.
🌐
Medium
medium.com › @fahimalshihabifty › bcs-ctf-2025-exploiting-format-string-vulnerabilities-f6dcad98f314
BCS CTF 2025: Exploiting Format String Vulnerabilities | by Md Fahim Al Shihab | Medium
March 5, 2025 - void blackbox(char *input) { printf(input); // Format string vulnerability here if (brocode == 0x4ADF070F) { system("cat flag.txt"); // Goal: Trigger this branch } else { puts("You cannot enter as brocode"); } } int main() { char name[1048]; setbuf(stdout, NULL); setbuf(stdin, NULL); setbuf(stderr, NULL); printf("Enter name: "); fgets(name, sizeof(name), stdin); blackbox(name); return 0; }
🌐
picoCTF Solutions
picoctfsolutions.com › posts › format-string-ctf
Format String Vulnerabilities for CTF Binary Exploitation | picoCTF Solutions
April 12, 2026 - If printf("%s", buf) is used instead, the input is always treated as a plain string and no specifiers are interpreted. Send %x specifiers to dump stack values as hex integers. Each %x consumes one word from the stack: ... Use %p instead of %x to get pointer-width output with a 0x prefix, which is cleaner on 64-bit systems: ... If you want to read from a specific stack offset without cycling through all the preceding ones, use the positional argument syntax %N$x where N is the index: $ echo '%6$x' | ./vulnerable # read the 6th stack word
🌐
YouTube
youtube.com › watch
Format String Vulnerability Explained | CTF Walkthrough - YouTube
In this video walk-through, we covered a binary vulnerable to format string vulnerability in which the vulnerable code contains an implementation of printf s...
Published   October 14, 2023
🌐
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_example
Format String Vulnerability Example - CTF Wiki EN
It's easy to understand that we're going to use the format string vulnerability to hijack the return address of the program to the address we want to execute. Here we take [three white hat-pwnme_k0] (https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/fmtstr/three white hats-pwnme_k0) as an example for analysis.
🌐
Medium
shadowintel.medium.com › uncontrolled-format-string-ctf-dec7a9aea747
Uncontrolled Format String | CTF. Introduction | by Ahmet Göker | Medium
February 16, 2023 - When we check the function called vuln() we know that vulnerability occurs however. We should consider on printf(story) because there is not parameters given. ... The first sample interprets story as a format string, and parses any formatting instructions it may contain.
🌐
NVISO Labs
blog.nviso.eu › 2024 › 05 › 23 › format-string-exploitation-a-hands-on-exploration-for-linux
Format String Exploitation: A Hands-On Exploration for Linux – NVISO Labs
May 23, 2024 - This is a type of vulnerability where submitted data of an input string is evaluated as an argument to an unsafe use of e.g., a printf() function by the application, resulting in the ability to read and/or write to memory.
🌐
CTFtime.org
ctftime.org › writeup › 26750
CTFtime.org / BlueHens CTF 2021 / ForMatt Zelinsky / Writeup
March 19, 2021 - # We now use the format string vulnerability to write and execute a ropchain # Overwrite EIP with whatever we want and use it to leak LIBC. # In order to leak libc we execute puts with a function's GOT entry address as an argument. # This way puts will print out, as a string, the address of ...
Find elsewhere
🌐
CTFtime.org
ctftime.org › writeup › 30554
CTFtime.org / PBjar CTF '21 / Curve / Writeup
) = 6 puts("Input 2:"Input 2: ) = 9 read(0BBBB , "BBBB\n", 128) = 5 puts("\nInput 3:" Input 3: ) = 10 read(0CCCC , "CCCC\n", 128) = 5 printf("CCCC\n"CCCC ) = 5 free(0x55db2ad8d2a0) = <void> puts("\nLol how could inputting strings"... Lol how could inputting strings stop the central finite curve. ) = 64 +++ exited (status 0) +++ ``` It is clear that there is a format string vulnerability on the third input.
🌐
CTFtime.org
ctftime.org › writeup › 37314
CTFtime.org / n00bzCTF 2023 / Strings / Writeup
Decompiling ``main2()``, we can see that it prints a global buffer ``fake_flag``, again introducing another format string vulnerability. We can see that the real flag is read into the ``local_38`` buffer. The idea for the solution would be to first use ``%n`` to rewrite ``fake_flag`` to ``%s``, so it prints out the real flag.
🌐
GitHub
github.com › VulnHub › ctf-writeups › blob › master › 2016 › angstrom-ctf › format-1.md
ctf-writeups/2016/angstrom-ctf/format-1.md at master · VulnHub/ctf-writeups
This program is vulnerable to a format string attack! Try supplying a format string to overwrite a global variable and get a shell!
Author   VulnHub
🌐
Readthedocs
formatstringexploiter.readthedocs.io › en › latest › examples › hacker_level.html
CAMP CTF 2015: Hacker Level — formatStringExploiter 0.1 documentation
This program is clearly vulnerable to a format string attack. Further, to get to the winning path it checks a global variable against the value 0xCCC31337.
🌐
DeepWiki
deepwiki.com › Crypto-Cat › CTF › 2.2-format-string-vulnerabilities
Format String Vulnerabilities | Crypto-Cat/CTF | DeepWiki
Format string vulnerabilities occur when a program passes user-controlled data as the format string parameter to functions like printf(), fprintf(), sprintf(), etc. These functions interpret format specifiers (such as %s, %d, %x, %n) within the format string to determine how to process subsequent ...
🌐
CTFtime.org
ctftime.org › writeup › 16273
WRITEUP BLACK ECHO (blind format string)
CTF events / redpwnCTF 2019 / Tasks / Black Echo / Writeup · by bytevsbyte / beerpwn · Rating: 5.0 · # WRITEUP BLACK ECHO (blind format string) ## __Author:__ bytevsbyte @ beerpwn team · There wasn't any executable to download, just a service running on the server.\ When I tried to connect with netcat and send some bytes, the server replied echoing my input.\ Then I sent some "%p" to check if it was a format string vulnerability.
🌐
Stack Overflow
stackoverflow.com › questions › 65157505 › need-help-on-format-string-vulnerability
c - Need help on format string vulnerability - Stack Overflow
December 5, 2020 - #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char **argv){ int i = 1; char buffer[64]; snprintf(buffer, sizeof buffer, argv[1]); buffer[sizeof (buffer) - 1] = 0; printf("Change i's value from 1 -> 500. "); if(i==500){ printf("GOOD\n"); setreuid(geteuid(),geteuid()); system("/bin/sh"); } printf("No way...let me give you a hint!\n"); printf("buffer : [%s] (%d)\n", buffer, strlen(buffer)); printf ("i = %d (%p)\n", i, &i); return 0; } Hi! I'm working on ctf exercise(Overthewire 5 level, Narnia).
🌐
tripoloski blog
tripoloski1337.github.io › ctf › 2020 › 06 › 11 › format-string-bug.html
Exploiting Format String bug | tripoloski blog
June 11, 2020 - Offensive Security Engineer, I blog about Cyber security, CTF writeup, Programming, Blockchain and more about tech. born and raised in indonesia, currently living in indonesia Posts About ... did you know , we can write something on memory by using printf ? yes we can. in this post i will try to explain how printf works and how we can exploit format string vulnerability on printf()
🌐
Motasem Notes
motasem-notes.net › home › buffer overflow › format string vulnerability explained | hackthebox leet test
Format String Vulnerability Explained | HackTheBox Leet Test - The MasterMinds Notes | Motasem Hamdan
October 14, 2023 - CTF Writeups WalkthroughCyberSecurity ... in which the vulnerable code contains an implementation of printf statement that takes the user input directly as an argument without input filtering or validation....