> For the complete documentation index, see [llms.txt](https://gitbook.seguranca-informatica.pt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.seguranca-informatica.pt/fuzzing-and-web/format-string.md).

# Format String Exploitation

A Format String attack can occur when an input string data is processed by a vulnerable function so that attacker can pass the formats to exploit the stack values with the help of format string functions/printf() family functions.

## Common Formats in Printf() Family <a href="#id-1567" id="id-1567"></a>

1. **%c** — Formats a single character
2. **%d** — Formats an integer in decimal value
3. **%f** — Formats float in decimal value
4. **%p** — Formats a pointer to address location
5. **%s** — Formats a string
6. **%x** — Formats a hexadecimal value
7. **%n** — Number of bytes written

## Vulnerable Functions to Format String <a href="#b250" id="b250"></a>

1. **printf()**
2. f**printf()**
3. **sprintf()**
4. **vprintf()**
5. **snprintf()**
6. **vsnprintf()**
7. **vfprintf()**

## Vulnerable code example

![](/files/-MYgQbd77fDsOsN6Ar70)

Compiling this binary with GCC (no flags)

![](/files/-MYgQhZFmQYYTFio6gMF)

When we pass a normal string data, it prints it successfully

![](/files/-MYgQki29hIO_lFggQBy)

If we pass beyond the buffer it gets crashed. But if we pass string with format values, it gives us the random stack values which is being popped from it:

![](/files/-MYgQnk7OYdwUMy9RK1A)

## Other Scenarios

```
#include  <stdio.h> 
void main(int argc, char **argv)
{
	// This line is safe
	printf("%s\n", argv[1]);

	// This line is vulnerable
	printf(argv[1]);
}

./example "Hello World %p %p %p %p %p %p"
Hello World %p %p %p %p %p %p
Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC
```

## Mitigation <a href="#ddf6" id="ddf6"></a>

1. Use format strings corresponding to the assigned variables
2. Use of “%s” as format string can make the whole input as a single string
3. Use arguments to call values and functions
4. Defensive strategy like ‘format\_gaurd’ can be used

## References

{% embed url="<https://github.com/arthaud/formatstring>" %}

{% embed url="<http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html>" %}

{% embed url="<https://aidenpearce369.medium.com/exploiting-format-string-vulnerability-97e3d588da1b>" %}

{% embed url="<https://owasp.org/www-community/attacks/Format_string_attack>" %}

{% embed url="<https://nikhilh20.medium.com/format-string-exploit-ccefad8fd66b>" %}

{% embed url="<https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf>" %}

{% embed url="<https://youtu.be/0WvrSfcdq1I>" %}
