Hacktricks-skills format-string-exploitation
How to exploit format string vulnerabilities in C binaries. Use this skill whenever the user mentions format string vulnerabilities, printf vulnerabilities, GOT/PLT overwrites, or needs to exploit a binary with format string bugs. This skill automates finding the format string offset, crafting payloads, and overwriting GOT entries to redirect function calls (e.g., printf → system) for code execution.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/binary-exploitation/format-strings/format-strings-template/SKILL.MDFormat String Exploitation
A skill for exploiting format string vulnerabilities in C binaries using pwntools.
When to Use This Skill
Use this skill when:
- You're given a binary with a format string vulnerability (e.g.,
without format specifiers)printf(user_input) - You need to leak stack memory or overwrite GOT entries
- You want to redirect function calls (printf → system) for shellcode execution
- You're working on CTF challenges involving format string bugs
Quick Start
-
Configure the connection in
:scripts/format_string_exploit.py- Set
for local testingLOCAL = True - Set
for remote TCPREMOTETTCP = True - Set
for SSH (e.g., OverTheWire)REMOTESSH = True
- Set
-
Run the exploit:
python scripts/format_string_exploit.py -
Review the output - the script will:
- Automatically find the format string offset
- Overwrite GOT entries
- Spawn an interactive shell
How Format String Exploitation Works
The Vulnerability
Format string vulnerabilities occur when user input is passed directly to format functions like
printf()fprintf()sprintf()// VULNERABLE char *input = get_user_input(); printf(input); // User can use %x, %s, %n to read/write memory // SAFE printf("%s", input); // Format string is controlled
Attack Phases
- Find the offset: Determine which position in the format string corresponds to your input
- Leak memory: Use
or%x
to read stack values%p - Overwrite GOT: Use
to write addresses to memory%n - Redirect execution: Point printf GOT entry to system PLT
- Trigger shell: Find where printf is called with controlled input
Configuration Options
| Variable | Description | Default |
|---|---|---|
| Run binary locally | |
| Connect via TCP | |
| Connect via SSH | |
| Attach GDB for debugging | |
| Path to vulnerable binary | |
| Bytes to prepend to payload | |
| Bytes to append to payload | |
| Maximum payload length | |
Example Usage
Local Binary
LOCAL = True LOCAL_BIN = "./vulnerable_binary"
Remote TCP
REMOTETTCP = True # Update in connect_binary(): P = remote('10.10.10.10', 1338)
SSH (OverTheWire)
REMOTESSH = True REMOTE_BIN = "./tyler" # SSH credentials configured in connect_binary()
Advanced: Loop Back for Extra Execution
Some binaries require looping back to the vulnerability for a second exploitation. Uncomment in the script:
P_FINI_ARRAY = ELF_LOADED.symbols["__init_array_end"] INIT_LOOP_ADDR = 0x8048614 # Address to return to format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
Troubleshooting
Offset not found
- Increase the search range in
get_formatstring_config() - Check if the binary has ASLR enabled (
)setarch -R - Verify the binary actually has a format string vulnerability
GOT overwrite fails
- Check if the binary is PIE (Position Independent Executable)
- Verify GOT entry is writable
- Ensure you're writing the correct address
Shell doesn't spawn
- Find where printf is called with user-controlled input
- The input should contain
or similar/bin/sh - Check if the binary has a second call to printf after GOT overwrite
References
Script Files
- Main exploitation scriptscripts/format_string_exploit.py
Run the script after configuring your connection settings. The script will automatically:
- Find the format string offset
- Overwrite printf GOT with system PLT
- Spawn an interactive shell