Format String Exploits

April 9, 2009 1 Comment

This is an oldie but goodie. I’ve seen format string bugs in the past, and have even exploited a few using the “magic formula”. Today, I thought it would be a good time to actually sit down and figure out how they work. The below link is an excellent resource to anyone learning about these.

http://www.cgsecurity.org/Articles/SecProg/Art4/

Filed under Pwnable

One Response to Format String Exploits

  1. mopey says:
    April 10, 2009 at 12:06 am

    The magic formula is:

    “[addr][addr+2]%.[val. min. – 8]x%[offset]$hn%.[val. max – val. min.]x%[offset+1]$hn”

    where addr is the memory location you want to overwrite (eg .dtors), val. max and val.min are the upper and lower bytes of what we want to put into that memory location (eg the address of our shellcode) and offset is where our format string is.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: