Skip to main content
Information Security

Questions tagged [format-string]

Ask Question

The format strings in functions like "printf" specifies a method for rendering an arbitrary number of varied data type parameters into a string.

45 questions
Newest Active Bountied Unanswered
0 votes
1 answer
204 views

why is an allocated buffer stored on the stack and the heap?

I have this code which has a format string vulnerability in it: #include <stdio.h> int main() { char buf[1024]; char secret1[64]; char flag[64]; char secret2[64]; // Read in first ...
Moshe D's user avatar
Moshe D
  • 103
1 vote
0 answers
131 views

String format exploit works differentely on my machine than on remote target

I'm learning binary exploitation with the picoCTF challenges. I solved Stonks, but I'm trying to learn more about how the stack works. What I did was the following: checked out the source, here is ...
lnc3l0t's user avatar
lnc3l0t
  • 11
1 vote
0 answers
178 views

How can I exploit the following code using string format vulnerabilities, Global offset table & GDB? [closed]

The following code should be exploited and I need to exploit it in such a way that it runs my command (l33t) and there should be shellcode and exploit included, so that it runs my command. I believe I ...
A M's user avatar
A M
  • 11
5 votes
2 answers
2k views

Format string vulnerability in Java?

Can a non-sanitized user input result in a vulnerability if passed to System.out.printf (Or any equivalent function that takes a format)? Example: public class Demo { public static void main(...
M0ngi's user avatar
M0ngi
  • 163
0 votes
0 answers
2k views

Is format string still an issue in Python?

I am not familiar with Python. I found lots of places talking about the format string issue in python. To understand its impact, I created a very simple test code: # assume this CONFIG holds sensitive ...
user1024888's user avatar
user1024888
  • 17
0 votes
1 answer
777 views

C++: How does format string vulnerability work?

Lets say that: char name[50]="TEST"; printf("%s",name); Here in the code, the %s just says that the variable is a string. But why when we print out user inputs, the %s suddenly ...
No Name's user avatar
No Name
  • 227
1 vote
0 answers
498 views

C - Remote string format attack exploit - %n Does not seem to write anything on the stack

[As part of a ctf] I am trying to exploit a remote server through a tcp connection. The server is using snprintf() and provides user input as the formatting string. My goal is to dump the stack. ...
Desperados's user avatar
Desperados
  • 111
5 votes
2 answers
551 views

A runtime sometimes converts string arguments (or string returns) from WTF-16 to UTF-16 between functions in a call stack. Is this a security concern?

Suppose that we have this code (in TypeScript syntax): function one(str: string): string { // do something with the string return str } function two() { let s = getSomeString() // returns some ...
trusktr's user avatar
trusktr
  • 81
1 vote
0 answers
449 views

How to use %n formatter in format string [closed]

I recently saw a CTF challenge application (elf x86_64) on Linux environment, vulnerable to several attacks including format string, because the complexity of the full exploit, I don't want to say too ...
user3782573's user avatar
user3782573
  • 13
1 vote
1 answer
2k views

How to read memory from format string exploit correctly

I'm trying to solve a problem on format string exploitation in which I have to overwrite anything in a specific address. Since the target address has a null byte at the begining, I need to write it at ...
SrJaimito's user avatar
SrJaimito
  • 111
1 vote
0 answers
173 views

Implications of Python fmtstr injection without secrets passed to the formatter

There are two ways I can think of to format strings in Python where user input may make its way into the format string input: >>> a = input() >>> print(a % ()) >>> a = ...
Aaron Esau's user avatar
Aaron Esau
  • 278
1 vote
1 answer
2k views

Can you perform a buffer overflow and a format string attack at the same time?

So I hope I'm phrasing this right. I'm trying to exploit a piece of c code which you can see below. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h&...
Fiach ONeill's user avatar
Fiach ONeill
  • 31
16 votes
4 answers
14k views

Are there any Security Concerns to using Python F Strings with User Input

Background A while ago I started using F strings in Python but remembered seeing some security concerns with using them with user input so I have made a point of not using them for those situations. ...
MikeSchem's user avatar
MikeSchem
  • 2,391
2 votes
1 answer
1k views

Format string exploit length

I'm new to Software security and I'm studying it now at the university. I had some doubts about the Format String exploit, in particular how to count the length (in number of bytes) of a format string ...
Mattia Surricchio's user avatar
Mattia Surricchio
  • 121
0 votes
1 answer
219 views

How to send a string format exploit through socket

I'm doing a CTF exercise here: https://c-wars.acnr.se/download/level2.tgz There is a docker with the vulnerable service, which I need to found the value of a variable. I was able to do it by the ...
Ramon Medeiros's user avatar
Ramon Medeiros
  • 123

15 30 50 per page
1
2 3