Format String
Format String bug and Challenges About this Bug
Before Talk about Format String bug let`s Talk about format specifiers
when you use printf in c you need you two arguments format specifier and the varliabe
format specifier = Specify the type of data contained within the variable to be pritned
if variable string use "%s" or intger use "%d"
#include <stdio.h>
int main(){
char var[] = "Hello Wolrd!";
printf("%s",var);
return 0;
}The Funcation of this code is to print only what is inside the variable
let`s compile it
Format Specifier Types
-----------------------
%c for Character
%d or i for intger
%e or %E for Scientific notation of floats
%f for Float values
%g or %G for Similar as %e or %E
%hi Signed integer (short)
%hu Unsigned Integer (short)
%l or %ld or %liLong
%lf Double
%Lf Long double
%lu Unsigned int or unsigned long
%lli or %lld Long long
%llu Unsigned long long
%o Octal
%p print Pointer address
%s String
%u Unsigned int
%x or %X Hexadecimal
%% Prints % character
%n Writes the number of bytes till the format string to memorynow what happens when i don`t use format specifier to print the data like this printf(variable) ?
can the user write "%p" to input and the printf will print that Here is format string Bug
that make user leak address and strings from stack
This is Vulnerable code
#include <stdio.h>
int main(){
char var[20];
fgets(var,20,stdin);
printf(var);
return 0;
}┌──(root💀kali)-[~/TestArena]
└─# ./printf
%p %p %p %p %p %p %p
0x5555555592a1 (nil) (nil) 0x7fffffffdf50 0x7ffff7f99c00 0x7025207025207025
I've leaked some addresses from the stack
Format String exploit is two exploitation for this bug
Arbitrary Read:
leak Canary or PIE Base or ASLR Base or flag or any thing
Arbitrary Write:
Write Some data in any address with %n that make me get RCE example change printf got to system plt when user execue printf he will execute system
Last updated