Leaking Data - printf()

Leaking Data

Leaking Memory

Memory can be leaked by using:

• %c: read a char off the stack.
• %d, %i, %x: read an int (4 bytes) off the stack.
• %x: read an int (4 bytes) in hex.
• %s: dereference a pointer and read out bytes until a null byte.

Controlling how much to leak

There are a few size parameters that can be used:

• %x: leaks 4 bytes.
• %hx: leaks 2 bytes.
• %hhx: leaks 1 byte.
• %lx: leaks 8 bytes.
• %7$x: prints the 7th parameter (on the stack).
  • The $ operator within the format string is used to specify what parameter we are interested in!
  • The above instruction is to print the 7th parameter as a hex value!
    • 

Demo

Non-Trivial Format String Vulnerabilities

Format strings are sometimes:

• Dynamically generated.
• Used for internal logic, as oppose to i/o functions, like sprintf, snprintf, and sscanf.
• Used for logging fprintf.
• Used for input scanf.

All are exploitable.