Format String

Format String bug and Challenges About this Bug

Before Talk about Format String bug let`s Talk about format specifiers

when you use printf in c you need you two arguments format specifier and the varliabe

format specifier = Specify the type of data contained within the variable to be pritned

if variable string use "%s" or intger use "%d"

#include <stdio.h>

int main(){
        char var[] = "Hello Wolrd!";
        printf("%s",var);
        return 0;
}

The Funcation of this code is to print only what is inside the variable

let`s compile it

it`s Worked

Format Specifier Types
-----------------------
%c for Character
%d or i for intger
%e or %E for Scientific notation of floats 
%f for Float values
%g or %G for Similar as  %e or %E
%hi Signed integer (short)
%hu Unsigned Integer (short)
%l or %ld or %liLong 
%lf Double
%Lf Long double
%lu Unsigned int or unsigned long
%lli or %lld Long long 
%llu Unsigned long long
%o Octal 
%p print Pointer address
%s String
%u Unsigned int
%x or %X Hexadecimal 
%% Prints % character
%n Writes the number of bytes till the format string to memory

now what happens when i don`t use format specifier to print the data like this printf(variable) ?

can the user write "%p" to input and the printf will print that Here is format string Bug

that make user leak address and strings from stack

This is Vulnerable code

#include <stdio.h>

int main(){
        char var[20];
        fgets(var,20,stdin);
        printf(var);
        return 0;
}

┌──(root💀kali)-[~/TestArena]
└─# ./printf
%p %p %p %p %p %p %p 
0x5555555592a1 (nil) (nil) 0x7fffffffdf50 0x7ffff7f99c00 0x7025207025207025                                                                                                                                                                                               

I've leaked some addresses from the stack

Format String exploit is two exploitation for this bug

Arbitrary Read:

leak Canary or PIE Base or ASLR Base or flag or any thing

Arbitrary Write:

Write Some data in any address with %n that make me get RCE example change printf got to system plt when user execue printf he will execute system