How to exploit Format String Vulnerabilities

Introduction

In the previous articles, we discussed printing functions, format strings and format string vulnerabilities. This article provides an overview of how Format String vulnerabilities can be exploited. In this article, we will begin by solving a simple challenge to leak a secret from memory. In the next article, we will discuss another example, where we will chain a format string vulnerability and Buffer Overflow vulnerability to create better impact. 

How can format string vulnerabilities be exploited?

As mentioned in the previous article, following are some of the attacks possible using Format String vulnerabilities.

• Leaking secrets
• Denial of Service
• Leaking memory addresses
• Overwriting memory addresses 

In this article, let us discuss the first two items.

Leaking secrets from stack

Following is the vulnerable program we will use to understand the approach to exploit a simple format string vulnerability to be able to read data from memory.

#include <stdio.h> int main(int argc, char *argv[]){ Sponsorships Available Sponsorships Available Sponsorships Available     char *secret = “p@ssw0rD”;     printf(argv[1]); }

As we can notice, the program is vulnerable to format string vulnerability since the printf function receives user input and prints it. It should be noted that there is no format specifier used in the printf function thus leaving the program vulnerable.

Let us run the program using gdb, check the disassembly of the main function and set up a breakpoint at the address of printf call.