🌐
Ctfrecipes
ctfrecipes.com › pwn › stack-exploitation › format-string
Format string | The CTF Recipes
The format string consists of text and placeholders for values that will be inserted into the string at runtime. Placeholders are represented by a percent sign (%), followed by a conversion specifier that specifies the type of value being inserted ...
🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
For example, if we can make the format argument "%x.%x.%x.%x", printf will pop off four stack values and print them in hexadecimal, potentially leaking sensitive information. printf can also index to an arbitrary "argument" with the following syntax: "%n$x" (where n is the decimal index of the argument you want). While these bugs are powerful, they're very rare nowadays, as all modern compilers warn when printf is called with a non-constant string...
🌐
tripoloski blog
tripoloski1337.github.io › ctf › 2020 › 06 › 11 › format-string-bug.html
Exploiting Format String bug | tripoloski blog
June 11, 2020 - Offensive Security Engineer, I blog about Cyber security, CTF writeup, Programming, Blockchain and more about tech. born and raised in indonesia, currently living in indonesia Posts About ... did you know , we can write something on memory by using printf ? yes we can. in this post i will try to explain how printf works and how we can exploit format string vulnerability on printf()
🌐
GitHub
github.com › VulnHub › ctf-writeups › blob › master › 2016 › angstrom-ctf › format-1.md
ctf-writeups/2016/angstrom-ctf/format-1.md at master · VulnHub/ctf-writeups
# python2 -c 'print "A"*4 + "-%x-%x-%x-%x-%x-%x-%x"' | ./format1 AAAA-80-f7785580-ffb064f4-ffb063fe-1-c2-41414141 Sorry, secret = 0 · Here we can see that the string AAAA (41414141) repeats at index 7.
Author   VulnHub
🌐
CTFtime.org
ctftime.org › writeup › 16273
WRITEUP BLACK ECHO (blind format string)
CTF events / redpwnCTF 2019 / Tasks / Black Echo / Writeup · by bytevsbyte / beerpwn · Rating: 5.0 · # WRITEUP BLACK ECHO (blind format string) ## __Author:__ bytevsbyte @ beerpwn team ·
🌐
CTFtime.org
ctftime.org › writeup › 30554
CTFtime.org / PBjar CTF '21 / Curve / Writeup
To do that, we have to place "sh\x00\x00" at the start of the format string. But we also need the format string to overwrite the __free_hook, so we can't have NULL bytes in our input. It means that we need to update the content of our string at runtime, using the format string attack itself.
🌐
NVISO Labs
blog.nviso.eu › 2024 › 05 › 23 › format-string-exploitation-a-hands-on-exploration-for-linux
Format String Exploitation: A Hands-On Exploration for Linux – NVISO Labs
May 23, 2024 - Here's the address of setvbuf in libc: %p\n", &setvbuf); } int main() { char *all_strings[MAX_STRINGS] = {NULL}; char buf[1024] = {'\0'}; setup(); hello(); fgets(buf, 1024, stdin); printf(buf); puts(normal_string); return 0; }C · Since we have a compiled version provided from the challenge, we can proceed and make it executable. We then do a test run, which provides the following output: # Making both the executable & linker executable chmod u+x format-string-3 ld-linux-x86-64.so.2 # Executing the binary ./format-string-3 Howdy gamers!
🌐
Medium
shadowintel.medium.com › uncontrolled-format-string-ctf-dec7a9aea747
Uncontrolled Format String | CTF. Introduction | by Ahmet Göker | Medium
February 16, 2023 - You should be familiar with string which you want to output, with the help of ‘print()’ · by forcing a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shell-code. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached.
🌐
CTF Support
ctf.support › pwn › format-strings
Format Strings | CTF Support
October 13, 2025 - Stack access syntax can be used by using numbered format parameters to control which stack slot you read from. %1$p - Print first stack pointer as an address %7$s - Interpret 7th stack value as a string
Find elsewhere
🌐
CTFtime.org
ctftime.org › writeup › 26750
CTFtime.org / BlueHens CTF 2021 / ForMatt Zelinsky / Writeup
March 19, 2021 - The idea is the following: we can use the format string vulnerability to write and execute a ropchain. Having this in mind, it's relatively simple to exploit the vulnerability. ```python #!/usr/bin/env python3 · from pwn import * HOST = "challenges.ctfd.io" PORT = 30042 ·
🌐
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_example
Format String Vulnerability Example - CTF Wiki EN
Although we did not put data into the corresponding registers, the program will still parse the format according to the format of the format string. Here, we introduce the [pwn200 GoodLuck] (https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/fmtstr/2017-UIUCTF-pwn200-GoodLuck) in UIUCTF in 2017 as an example.
🌐
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_intro
Format String Vulnerability Principle - CTF Wiki EN
The format string function accepts a variable number of arguments and uses the first argument as a format string, from which the parsed argument is parsed. In general, formatting a string function is to convert the data represented in the computer's memory into our human-readable string format.
🌐
Gitlab
xanhacks.gitlab.io › ctf-docs › pwn › format-string › 01-introduction-format-string
Introduction - Format string - CTF Docs
%b: As a string, interpreting backslash escapes, except that octal escapes are of the form 0 or 0ooo.
🌐
YouTube
youtube.com › john hammond
Intro Format String Vulnerability | PicoCTF 2017 [39] "I've Got a Secret" - YouTube
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010E-mail: johnhammond010@gmai...
Published   September 26, 2018
Views   18K
🌐
Jake Mullins
jake-mullins.github.io › year-of-hacking-0x2
Week 2 - Format String Attacks from PicoCTF
April 8, 2024 - The most basic definition of a string is any amount of characters in memory that end with 0x00. The format designator is %s. I first tried to feed %s characters to try and expose any cstrings in the stacks, but it didn’t yield any useful information: ┌──(jakemull㉿leman-russ)-[~/ctf/pico/format-string-1] └─$ nc mimas.picoctf.net 62076 Give me your order and I'll read it back to you: %s%s%s%s Here's your order: Here's your order: (null)(null) Bye!
🌐
Gitbook
sashactf.gitbook.io › pwn-notes › ctf-writeups › cor-ctf-2024 › format-string
format-string | pwn-notes
int __printf (const char *format, ...) { va_list arg; int done; va_start (arg, format); done = __vfprintf_internal (stdout, format, arg, 0); va_end (arg); return done; }
🌐
CTFtime.org
ctftime.org › writeup › 37314
CTFtime.org / n00bzCTF 2023 / Strings / Writeup
Firstly, we can access a relative argument passed to printf, by adding a number to the format string. For example ``%5$s`` would print the string found at the 5th address on the stack. Well, it would, if it were a 32-bits binary. But on 64-bits it gets even better - the first arguments that printf looks at are the registers.
🌐
picoCTF Solutions
picoctfsolutions.com › posts › format-string-ctf
Format String Vulnerabilities for CTF Binary Exploitation | picoCTF Solutions
April 12, 2026 - A beginner-friendly guide to format string vulnerabilities in CTF binary exploitation: how printf leaks memory, finding the format string offset, writing arbitrary values with %n, and walking through the picoCTF format string series.