Format String Exploits

This is an oldie but goodie. I’ve seen format string bugs in the past, and have even exploited a few using the “magic formula”. Today, I thought it would be a good time to actually sit down and figure out how they work. The below link is an excellent resource to anyone learning about these.

http://www.cgsecurity.org/Articles/SecProg/Art4/

One Response to Format String Exploits

  1. mopey says:

    The magic formula is:

    “[addr][addr+2]%.[val. min. – 8]x%[offset]$hn%.[val. max – val. min.]x%[offset+1]$hn”

    where addr is the memory location you want to overwrite (eg .dtors), val. max and val.min are the upper and lower bytes of what we want to put into that memory location (eg the address of our shellcode) and offset is where our format string is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s