It sounds like you understand basically what you're trying to do, so this is more a programming puzzle than a security one, at this point.

If the buffer has the shellcode placed before the %Nu%n sequence, I won't know how many characters have been printed before I get to the first %n, since the shellcode will contain non-printable characters.

Getting the length of characters printed by just treating the shellcode itself as a format string is trivial: all the *printf functions return the number of characters printed, so just running int c = printf(<SHELLCODE>);printf("\n%d\n", c); will tell you how many characters are printed in the course of treating the shellcode as a format string. However, putting the shellcode before the format specifiers like this imposes a limit on the minimum value you could put with %n specifiers after the shellcode.

If it's placed after it, I won't know the address of the shellcode itself, since the amount of digits for each N may vary.

Easily solved by padding the string (with spaces, or zeroes, or whatever you want except format specifiers) between the format specifiers and the shellcode, and deleting a padding character every time a format specifier gets one character longer. In practice, since the number of digits in N will only change when you the value of N crosses a power of 10, you can also achieve this by just making minor tweaks.


If you want to make this really easy, pad the input string between your format specifiers and your shellcode with single-byte no-ops (the canonical one for x86 is 0x90), and then you only have to land somewhere between the end of the format specifiers (exclusive) and the start of the shellcode (inclusive), rather than on the start of the shellcode exactly. This technique is called a "NOP sled" because when the instruction pointer winds up anywhere in it, it just "slides" all the way into your shellcode.

Answer from CBHacking on Stack Exchange
Top answer
1 of 1
1

It sounds like you understand basically what you're trying to do, so this is more a programming puzzle than a security one, at this point.

If the buffer has the shellcode placed before the %Nu%n sequence, I won't know how many characters have been printed before I get to the first %n, since the shellcode will contain non-printable characters.

Getting the length of characters printed by just treating the shellcode itself as a format string is trivial: all the *printf functions return the number of characters printed, so just running int c = printf(<SHELLCODE>);printf("\n%d\n", c); will tell you how many characters are printed in the course of treating the shellcode as a format string. However, putting the shellcode before the format specifiers like this imposes a limit on the minimum value you could put with %n specifiers after the shellcode.

If it's placed after it, I won't know the address of the shellcode itself, since the amount of digits for each N may vary.

Easily solved by padding the string (with spaces, or zeroes, or whatever you want except format specifiers) between the format specifiers and the shellcode, and deleting a padding character every time a format specifier gets one character longer. In practice, since the number of digits in N will only change when you the value of N crosses a power of 10, you can also achieve this by just making minor tweaks.


If you want to make this really easy, pad the input string between your format specifiers and your shellcode with single-byte no-ops (the canonical one for x86 is 0x90), and then you only have to land somewhere between the end of the format specifiers (exclusive) and the start of the shellcode (inclusive), rather than on the start of the shellcode exactly. This technique is called a "NOP sled" because when the instruction pointer winds up anywhere in it, it just "slides" all the way into your shellcode.

🌐
Samsclass
samsclass.info › 127 › proj › p6-fs.htm
Proj 6: Exploiting a Format String Vulnerability (20 pts.)
chmod a+x f5.py gdb ./fs break * main + 59 break * main + 64 run $(./f5.py) x/4x 0x0804974c continue x/4x 0x0804974c continue q y As shown below, the program jumps into the NOP sled and stops when it hits the 0xcc values--that is, at the dummy shellcode. This exploit is a bit finicky--the injected code is passed in as a format string.
🌐
Infosec Institute
resources.infosecinstitute.com › topic › exploiting-format-strings-getting-the-shell
Exploiting format strings: Getting the shell - Infosec Resources
July 5, 2016 - In this article, we will have a look at how to exploit format String vulnerabilities to get a shell. In this article, we will briefly have a look at how to overwrite specific memory location, how to inject our shellcode in current memory of program and further overwrite the some desired memory ...
🌐
System Overlord
systemoverlord.com › 2014 › 02 › 12 › printf-format-string-exploitation
printf Format String Exploitation | System Overlord
February 12, 2014 - It’s easy to predict the address (if you don’t change the environment) by writing a small program to spit it out, and, if you don’t feel like writing your own shellcode, msfvenom will provide you with a convenient shellcode in bash form: msfvenom -p linux/x86/exec CMD=/bin/sh -f bash -b '\x00'.
🌐
Stack Overflow
stackoverflow.com › questions › 19167776 › format-string-exploit-opening-root-shell
c - Format String exploit - opening root shell - Stack Overflow
I'm trying to overwrite the instruction pointer register (eip) with the address of the array containing my shellcode. I always end up with segmentation fault though. The following is a snippet I'm trying to exploit: //Prints version static void print_version(char* cmd) { char txt[640+1]; snprintf(txt, 640, "Submission program version 0.1 (%s)\n", cmd); printf(txt); } I'm calling this function through execve(). The format string is the argv[0] here, which is successfully passed to the function above.
🌐
Infosec Institute
infosecinstitute.com › resources › hacking › exploiting-format-strings-getting-the-shell
Exploiting format strings: Getting the shell | Infosec
July 5, 2016 - In this article, we will have a look at how to exploit format String vulnerabilities to get a shell. In this article, we will briefly have a look at how to overwrite specific memory location, how to inject our shellcode in current memory of program and further overwrite the some desired memory ...
🌐
Stanford
cs155.stanford.edu › papers › formatstring-1.2.pdf pdf
Exploiting Format String Vulnerabilities scut / team teso September 1, 2001
September 1, 2001 - code is contained within the format string it may not contain ‘\x25’ (%) or · NUL bytes. But since no important opcode is in neither 0x25 or 0x00 you · will not run into problems when constructing shellcode.
🌐
UCSD
cseweb.ucsd.edu › classes › sp18 › cse127-b › cse127sp18.4.pdf pdf
Format Strings, Shellcode, and Stack Protection
▪Functions that take format strings act like command interpreters. ▪Don’t let attackers decide which commands to pass to your · command interpreters. Shellcode · Review: Smashing The Stack · ▪Overwriting the return address · – Upon function return, control is ·
Find elsewhere
🌐
Tripod
julianor.tripod.com › bc › NN-formats.txt
Format String Technique
6.4 Finishing touches sloth@sin$ export ADDYS=`easyfl '\l080494f4\l080494f6X'` This format string does not have any addresses or data printed before it. %u will have to write the exact amount for the first write. 0xff1a = 65306 0x1bfff - 0xff1a = 49381 sloth@sin$ (echo '%.65306u64$hn%.49381u65$hn') | ./fmt2; echo ... LOTS OF GARBAGE ... hello world sloth@sin$ Again the hello world shellcode is executed.
🌐
ired.team
ired.team › offensive-security › code-injection-process-injection › binary-exploitation › format-string-bug
Format String Bug | Red Team Notes
October 31, 2021 - The string is written in a simple ... output, but format specifiers, which start with a % character, indicate the location and method to translate a piece of data (such as a number) to characters....
🌐
Fengweiz
fengweiz.github.io › 20fa-cs315 › labs › lab3-format-string.pdf pdf
SEED Labs – Format String Vulnerability Lab 1 Format String Vulnerability Lab
of our shellcode to make our life easier (why? Please explain it in your report). $ echo ...(your format string)...$(printf "\x90\x90\x90\x90\x31\xc0 ...
🌐
ELEG 467/667
zelinsky.github.io › CTF-Course › Classes › 11.html
Shellcode, Linux System Calls, and Format String Vulnerabilities | ELEG 467/667
If we have a compiled executable, we can convert it’s output to shellcode with · objdump -D hello |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' If there are any \x00’s in your output, rewriting your assembly is necessary to remove them. Strings are null-terminated in C, so your string will no longer be read after the null-byte.
🌐
Fengweiz
fengweiz.github.io › 20fa-cs315 › labs › lab3-slides-format-string.pdf pdf
Format-String Vulnerability Instructor: Fengwei Zhang 1 SUSTech
and let it point it to the malicious code (e.g., shellcode to · execute /bin/sh) . Get root access if vulnerable code is a SET- UID program. Challenges : ●Inject Malicious code in the stack · ●Find starting address (A) of the injected code · ●Find return address (B) of the vulnerable ...
🌐
DEF CON
defcon.org › images › defcon-18 › dc-18-presentations › Haas › DEFCON-18-Haas-Adv-Format-String-Attacks.pdf pdf
Advanced Format String Attacks Presented by Paul Haas
The largest hacking and security conference with presentations, workshops, contests, villages and the premier Capture The Flag Contest.
🌐
Exploit-DB
exploit-db.com › papers › 23985
[French] Une simple Exploitation de vulnérabilité Format String
January 8, 2013 - (y or n) y Starting program: /root/exploit/formatstring AA`echo $'\x04\xa0\x04\x08\x06\xa0\x04\x08'`790x1\$hn4282x2\$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA�� . . . . . . 804851bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program exited with code 012. Ca marche bien. Mais ce cas la était idéal, les octets à écrire étaient dans le bon ordre (0x3200 < 0xb7ea), pour écrire un shellcode de 20 ou 30 octets ca risque de pas être aussi rose.
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - We need a 32 bits shellcode. We can get one with the following C program. I got it from https://shell-storm.org/. #include <stdio.h> #include <string.h> char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; int main(void) { fprintf(stdout,"Length: %d\n",strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; }
🌐
Stack Overflow
stackoverflow.com › q › 19167776
Newest Questions - Stack Overflow
Stack Overflow | The World’s Largest Online Community for Developers
🌐
Unipg
bista.sites.dmi.unipg.it › didattica › sicurezza-pg › buffer-overrun › hacking-book › 0x2a0-writing_shellcode.html
0x2a0 Writing Shellcode
Now that working printable shellcode exists in an environment variable, it can be used with heap-based overflows and format-string exploits.