Scribd
Upload
26 views

Format String Vulnerability

Format string vulnerabilities occur in C functions that use format strings to control data representation, allowing attackers to write arbitrary data to memory locations. Common format parameters can be exploited to read from or write to the stack, leading to potential information leakage, program crashes, or memory overwrites. The document provides examples of format functions and their parameters, as well as the implications of format string attacks.

Uploaded by

aado5488
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

Format String Vulnerability

Format string vulnerabilities occur in C functions that use format strings to control data representation, allowing attackers to write arbitrary data to memory locations. Common format parameters can be exploited to read from or write to the stack, leading to potential information leakage, program crashes, or memory overwrites. The document provides examples of format functions and their parameters, as well as the implications of format string attacks.

Uploaded by

aado5488
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Format String Vulnerability

What are Format Strings ? ?


• A format string is an ASCII string used to specify and control the
representation of different Variables.

int c;
printf (“%d”,c);

• A format functions uses to format string to convert C data types into a


string representation.
Examples of Format Functions ()
Format function Description

fprint Writes the printf to a file

printf Output a formatted string

sprintf Prints into a string

snprintf Prints into a string checking the length

vfprintf Prints the a va_arg structure to a file

vprintf Prints the va_arg structure to stdout

vsprintf Prints the va_arg to a string

Prints the va_arg to a string checking the


vsnprintf
length
Format Parameters
• Each format parameter begins with a percent sign(%) and uses a single-
character.

• Below are some format parameters which can be used and their consequences:
“%x” Read data from the stack
“%s” Read character strings from the process’ memory
“%n” Write an integer to locations in the process’ memory
Common parameters used in a Format String Attack.

Parameters Output Passed as

%% % character (literal) Reference

External representation of
%p Reference
a pointer to void

%d Decimal Value

%c Character

%u Unsigned decimal Value

%x Hexadecimal Value

%s String Reference

Writes the number of


%n Reference
characters into a pointer
The fmt.c program shows some examples of different format
parameters.
Output of the fmt.c program
Format String Attack
• Software Vulnerability in certain C functions that perform string formatting leading to the
potential to write arbitrary data to arbitrary locations.
• Format String Attack Allows us to dump Stack.

• Stack Contain interesting information :


Data, return addresses, stack addresses
String including our format string
Stack offset locations of all of the above
• Combining a string, it’s offset and pointer we can obtain the address of anything on the
stack.
• Overwrite a return address to point to our exploit.
Format String Vulnerabilities
This can lead to:
▪ crashing of the program
▪ viewing process memory
-- information leakage
▪ Overwriting memory with arbitrary data
A simple C Program with format string Vulnerability

Demo
A simple C Program with format string Vulnerability

Demo
END

You might also like