# Format String Exploitation

A Format String attack can occur when an input string data is processed by a vulnerable function so that attacker can pass the formats to exploit the stack values with the help of format string functions/printf() family functions.

## Common Formats in Printf() Family <a href="#id-1567" id="id-1567"></a>

1. **%c** — Formats a single character
2. **%d** — Formats an integer in decimal value
3. **%f** — Formats float in decimal value
4. **%p** — Formats a pointer to address location
5. **%s** — Formats a string
6. **%x** — Formats a hexadecimal value
7. **%n** — Number of bytes written

## Vulnerable Functions to Format String <a href="#b250" id="b250"></a>

1. **printf()**
2. f**printf()**
3. **sprintf()**
4. **vprintf()**
5. **snprintf()**
6. **vsnprintf()**
7. **vfprintf()**

## Vulnerable code example

![](/files/-MYgQbd77fDsOsN6Ar70)

Compiling this binary with GCC (no flags)

![](/files/-MYgQhZFmQYYTFio6gMF)

When we pass a normal string data, it prints it successfully

![](/files/-MYgQki29hIO_lFggQBy)

If we pass beyond the buffer it gets crashed. But if we pass string with format values, it gives us the random stack values which is being popped from it:

![](/files/-MYgQnk7OYdwUMy9RK1A)

## Other Scenarios

```
#include  <stdio.h> 
void main(int argc, char **argv)
{
	// This line is safe
	printf("%s\n", argv[1]);

	// This line is vulnerable
	printf(argv[1]);
}

./example "Hello World %p %p %p %p %p %p"
Hello World %p %p %p %p %p %p
Hello World 000E133E 000E133E 0057F000 CCCCCCCC CCCCCCCC CCCCCCCC
```

## Mitigation <a href="#ddf6" id="ddf6"></a>

1. Use format strings corresponding to the assigned variables
2. Use of “%s” as format string can make the whole input as a single string
3. Use arguments to call values and functions
4. Defensive strategy like ‘format\_gaurd’ can be used

## References

{% embed url="<https://github.com/arthaud/formatstring>" %}

{% embed url="<http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html>" %}

{% embed url="<https://aidenpearce369.medium.com/exploiting-format-string-vulnerability-97e3d588da1b>" %}

{% embed url="<https://owasp.org/www-community/attacks/Format_string_attack>" %}

{% embed url="<https://nikhilh20.medium.com/format-string-exploit-ccefad8fd66b>" %}

{% embed url="<https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf>" %}

{% embed url="<https://youtu.be/0WvrSfcdq1I>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/fuzzing-and-web/format-string.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.