Uncontrolled Format String | CTF

6 min readFeb 16, 2023

Introduction

Hello ! back again with a great CTF challenge that i want to walk-through.

Today, I will be illustrating how to solve {flag_leak} CTF on PicoCTF with the help of format string vulnerability. But let me talk about what uncontrolled format string vulnerability is.

Format String vulnerability: is an exploitation technique which you can use to gain control of a privileged program. Like buffer overflow. It has also a combination technique which you will have a fully control IP(Instruction Pointer) of a process. Luckily for the programmers, it is well-known vulnerability which you can spot this security hole easily. Although, format string vulnerabilities aren’t very common nonetheless. You should be familiar with string which you want to output, with the help of ‘print()’

by forcing a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shell-code. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute. (source: Wikipedia)

A format string bug occurs when user-supplied data is included in the format specification string of one of the ‘printf()’ family of functions, including:

printf()

fprintf()

sprintf()

snprintf()

vfprintf()

vprintf()

vsprintf()

vsnprintf()

And any similar functions on your platform that accept a string that can contain C-style format specifiers, such as the ‘wprintf()’ functions on the Windows platforms. The attacker supplies a number of format specifiers that have no corresponding arguments on the stack, and values from the stack are used in their place. This leads to information disclosure and potentially the execution of arbitrary code.

You can get more information: https://en.wikipedia.org/wiki/Uncontrolled_format_string

CTF-Solution

We are going to solve {flag_leak} CTF challenge on PicoCTF. As usual, we ought to read the binary so as to understand the file properly.

When we read the description of this challenge it says:

“I’m just copying and pasting with this program. What can go wrong? You can view source here. And connect with it using”

When we read the hint:

“Format String”

Awesome! Now let me consider to copy this file to my terminal.

Do not forget to use: sudo chmod +x vuln to make your file executable

Interesting! We should understand the %p is being used for pointer address

This is great because we are able to know the addresses into the stack. Fuzzing or brute-forcing will be useful to know about the memory and other useful information.

We gotten the source code, but let me remind that you will not always get the source code, you should debug it. GDB, radare2 and cutter would be superb.

Let me check the source code what we have.

When we look at the main function there is noting interesting but we have a function called vuln()
BUFSIZE and FLAGSIZE have been given but we are not interested
When we check the function called vuln() we know that vulnerability occurs however.
We should consider on printf(story) because there is not parameters given.

Wrong:

printf(story);

Right:

printf(“%s”,story);

The first sample interprets story as a format string, and parses any formatting instructions it may contain. The second sample simply prints a string to the screen, the first sample has not been coded well, as a programmer perspective we should know that absence of format specifiers in the string is identical, which makes it easy for the mistake to go unnoticed by the developer.

We know that this binary is vulnerable however, we are going to check this file with the command checksec

checksec : is a bash script which controls whether; PIE, Canary, ASLR,RELRO is present or not. I will not explain what these security mitigations do respectively you can check on internet.

Awesome! NX is enabled and this means:

The abbreviation NX stands for non-execute or non-executable segment. It means that the application, when loaded in memory, does not allow any of its segments to be both writable and executable.

You can also check via GDB:

We can also see that its 32 bit:

In order to read the flag we will exploit this file

I used %p (pointer address)
I used %s (string into the stack)
I used %10$s (the tenth place into the stack)

There are two methods to solve this CTF:

We can use a script to brute-force any string into the stack (%s)
We can use %x (hex) to also bruteforce, but we need to convert it to string to be able to read it.