Learning Binary Exploitation — Part 4

Format String Vulnerability

This one was quite easy to understand compared to the other concepts.

What are Format Specifiers?

Format specifiers are used in print statements to specify the type of data to be printed. For example, in C:

char astring[10];
printf("We are printing a string: %s", astring);

Here, %s is the format specifier. There are several such format specifiers, including:

• %s → String
• %p → Memory address (hexadecimal)
• %d → Integer (decimal)
• %f → Float
• %c → Character
• %x → Hexadecimal
• %u → Unsigned integer
• %n → Writes the number of characters into a pointer

Understanding the Vulnerability

A format string vulnerability occurs when the format specifier is not explicitly provided in a print statement. This allows an attacker to inject their own format specifiers, such as %p.

For example:

#include <stdio.h>
#include <string.h>

int main(int argc, char** argv) {
    char buffer[64];
    strcpy(buffer, argv[1]);
    printf(buffer);
    return 0;
}

If you input a string like AAAA, the program will print memory addresses, including 0x41414141 (hexadecimal representation of AAAA). By injecting %n at a critical point, an attacker could cause a segmentation fault by attempting to write the length of the string to an invalid memory address (0x41414141 in this case).

Injecting Shellcode Using This Method

Shared libraries in C programs contain functions and their addresses. These are dynamically linked, and the Global Offset Table (GOT) stores the addresses of these functions.

Initially, the GOT entries are undefined. When a function is called, the dynamic linker resolves the address and updates the GOT. Subsequent calls use this resolved address.

Exploitation Idea:
If we overwrite the GOT entry for a critical function (e.g., printf) with the address of system(), we could invoke arbitrary commands, such as launching a shell:

system("/bin/sh")

This approach allows an attacker to execute shellcode, providing control over the target system.

For more details and examples, refer to this guide.

Author: Piyush Pradhan
Published on: January 25, 2022
Original Article: Learning Binary Exploitation — 4

Let me know if you’d like further adjustments or insights!