Format String Vulnerability

Take a look at the following code:

int main(int argc, char *argv[]) {

    printf("Welcome to %s\n", argv[0]);
    printf("You called the program with %d options. They are:\n", argc-1);

    if (argc > 1) {
        int j;
        for (j=1; j < argc; j++) {
        printf(argv[j]);
        printf("\n");
        }
    }
    return 0;
}

What would happen if we ran this command line program with an option like hello world?

./formatstring hello world

Welcome to ./formatstring
You called the program with 2 options. They are:
hello
world

Works as intended!

But the dangerous bit (which is noted by the compiler by the way...) is the so-called naked format string in the following line:

printf(argv[j]);

This can be abused by sending printf format options, the most common of which are %p or %x.

Let's try spamming it with %p to dump memory:

./formatstring %p%p%p%p%p%p%p%p%p

Welcome to ./formatstring
You called the program with 1 options. They are:
0x10x10239d9100x16da6f7200x20x16da6f7000x19f403f280x00x00x0

And just like that we start dumping memory!

Keyboard shortcuts

The Beginner's CTF Handbook

Format String Vulnerability