Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

format string exploits

Alright, if the first class of exploits we learned were about smashing, this one is about surgery.

Works like this:

When an innocent dev makes the mistake of putting your argument as the format string and not as an argument (e.g. printf("%s", yourstr)) then nonsense ensues.

I'm going to show this more through live demos but here is the damage:

That first capability alone allows you to conquer PIE, ASLR, and Stack Protection.

The second one, well that is a whole new world that we will appreciate the rest of the course.


As we get to the cutting edge exploits we will do versions of this that aren't compiler protected or even warned.

Surgical payloads will be our primary way of exploiting binaries from now on.

It's a new way of thinking, if you could write a small payload that goes anywhere you want, what could allow you to take over?

The Mechanics

Part 1: reading from the stack (and first 6 registers)

OK send %p now send %6$p now send %55$p.

Imagine a healthy printf, it would go like this: printf("1: %p 2: %p 3: %p", arg1, arg2, arg3)

From printf's world the first argument is arg1, but we know that in x86 arg1 is officially the 2nd argument to the printf call, so it lives in rsi

Now printf let's us jump to the 6th (7th in x86) argument with %6$p which is no longer in a register but on the stack (it is the 7th argument to the function call by calling convention which has exhausted the 6 register slots).

Alright so that means we can read the 6 argument registers and then read everything on the stack that we want.

OK take the demo problem and identify the stack canary and read that!

Part 2: writing to an arbitrary location

Alright normally I would give you the mechanics of WHY this works but at the moment I'm just going to give you the quick and dirty reference for HOW to do it:

Now we play together and I can explain as we go.

Let's try this: