«
»

Format String Exploits

April 9th, 2009 by webstersprodigy

This is an oldie but goodie. I’ve seen format string bugs in the past, and have even exploited a few using the “magic formula”. Today, I thought it would be a good time to actually sit down and figure out how they work. The below link is an excellent resource to anyone learning about these.

http://www.cgsecurity.org/Articles/SecProg/Art4/

This entry was posted on Thursday, April 9th, 2009 at 23:59 and is filed under GrayHat. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Format String Exploits”

  1. mopey Says:
    April 10th, 2009 at 00:06

    The magic formula is:

    “[addr][addr+2]%.[val. min. - 8]x%[offset]$hn%.[val. max - val. min.]x%[offset+1]$hn”

    where addr is the memory location you want to overwrite (eg .dtors), val. max and val.min are the upper and lower bytes of what we want to put into that memory location (eg the address of our shellcode) and offset is where our format string is.

Leave a Reply

No computers were harmed in the 0.180 seconds it took to produce this page.