Format Strings
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Basic Information
In C printf is a function that can be used to print some string. The first parameter this function expects is the raw text with the formatters. The following parameters expected are the values to substitute the formatters from the raw text.
Other vulnerable functions are sprintf() and fprintf().
The vulnerability appears when an attacker text is used as the first argument to this function. The attacker will be able to craft a special input abusing the printf format string capabilities to read and write any data in any address (readable/writable). Being able this way to execute arbitrary code.
Formatters:
Examples:
Vulnerable example:
Normal Use:
With Missing Arguments:
fprintf vulnerable:
Accessing Pointers
The format %<n>$x, where n is a number, allows to indicate to printf to select the n parameter (from the stack). So if you want to read the 4th param from the stack using printf you could do:
and you would read from the first to the forth param.
Or you could do:
and read directly the forth.
Notice that the attacker controls the printf parameter, which basically means that his input is going to be in the stack when printf is called, which means that he could write specific memory addresses in the stack.
An attacker controlling this input, will be able to add arbitrary address in the stack and make printf access them. In the next section it will be explained how to use this behaviour.
Arbitrary Read
It's possible to use the formatter %n$s to make printf get the address situated in the n position, following it and print it as if it was a string (print until a 0x00 is found). So if the base address of the binary is 0x8048000, and we know that the user input starts in the 4th position in the stack, it's possible to print the starting of the binary with:
Note that you cannot put the address 0x8048000 at the beginning of the input because the string will be cat in 0x00 at the end of that address.
Find offset
To find the offset to your input you could send 4 or 8 bytes (0x41414141) followed by %1$x and increase the value till retrieve the A's.
How useful
Arbitrary reads can be useful to:
Dump the binary from memory
Access specific parts of memory where sensitive info is stored (like canaries, encryption keys or custom passwords like in this CTF challenge)
Arbitrary Write
The formatter %<num>$n writes the number of written bytes in the indicated address in the <num> param in the stack. If an attacker can write as many char as he will with printf, he is going to be able to make %<num>$n write an arbitrary number in an arbitrary address.
Fortunately, to write the number 9999, it's not needed to add 9999 "A"s to the input, in order to so so it's possible to use the formatter %.<num-write>%<num>$n to write the number <num-write> in the address pointed by the num position.
However, note that usually in order to write an address such as 0x08049724 (which is a HUGE number to write at once), it's used $hn instead of $n. This allows to only write 2 Bytes. Therefore this operation is done twice, one for the highest 2B of the address and another time for the lowest ones.
Therefore, this vulnerability allows to write anything in any address (arbitrary write).
In this example, the goal is going to be to overwrite the address of a function in the GOT table that is going to be called later. Although this could abuse other arbitrary write to exec techniques:
Write What Where 2 ExecWe are going to overwrite a function that receives its arguments from the user and point it to the system function.
As mentioned, to write the address, usually 2 steps are needed: You first writes 2Bytes of the address and then the other 2. To do so $hn is used.
HOB is called to the 2 higher bytes of the address
LOB is called to the 2 lower bytes of the address
Then, because of how format string works you need to write first the smallest of [HOB, LOB] and then the other one.
If HOB < LOB
[address+2][address]%.[HOB-8]x%[offset]\$hn%.[LOB-HOB]x%[offset+1]
If HOB > LOB
[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]
HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB
Pwntools Template
You can find a template to prepare a exploit for this kind of vulnerability in:
Format Strings TemplateOr this basic example from here:
Format Strings to BOF
It's possible to abuse the write actions of a format string vulnerability to write in addresses of the stack and exploit a buffer overflow type of vulnerability.
Other Examples & References
https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html
32 bit, no relro, no canary, nx, no pie, basic use of format strings to leak the flag from the stack (no need to alter the execution flow)
https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html
32 bit, relro, no canary, nx, no pie, format string to overwrite the address
fflushwith the win function (ret2win)
https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html
32 bit, relro, no canary, nx, no pie, format string to write an address inside main in
.fini_array(so the flow loops back 1 more time) and write the address tosystemin the GOT table pointing tostrlen. When the flow goes back to main,strlenis executed with user input and pointing tosystem, it will execute the passed commands.
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Last updated