Uncontrolled Format String | CTF

Ahmet Göker
6 min readFeb 16, 2023

--

Introduction

Hello ! back again with a great CTF challenge that i want to walk-through.

Today, I will be illustrating how to solve {flag_leak} CTF on PicoCTF with the help of format string vulnerability. But let me talk about what uncontrolled format string vulnerability is.

Format String vulnerability: is an exploitation technique which you can use to gain control of a privileged program. Like buffer overflow. It has also a combination technique which you will have a fully control IP(Instruction Pointer) of a process. Luckily for the programmers, it is well-known vulnerability which you can spot this security hole easily. Although, format string vulnerabilities aren’t very common nonetheless. You should be familiar with string which you want to output, with the help of ‘print()’

by forcing a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shell-code. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute. (source: Wikipedia)

A format string bug occurs when user-supplied data is included in the format specification string of one of the ‘printf()’ family of functions, including:

printf()

fprintf()

sprintf()

snprintf()

vfprintf()

vprintf()

vsprintf()

vsnprintf()

And any similar functions on your platform that accept a string that can contain C-style format specifiers, such as the ‘wprintf()’ functions on the Windows platforms. The attacker supplies a number of format specifiers that have no corresponding arguments on the stack, and values from the stack are used in their place. This leads to information disclosure and potentially the execution of arbitrary code.

Format Parameters

You can get more information: https://en.wikipedia.org/wiki/Uncontrolled_format_string

CTF-Solution

We are going to solve {flag_leak} CTF challenge on PicoCTF. As usual, we ought to read the binary so as to understand the file properly.

When we read the description of this challenge it says:

“I’m just copying and pasting with this program. What can go wrong? You can view source here. And connect with it using”

When we read the hint:

“Format String”

Awesome! Now let me consider to copy this file to my terminal.

Do not forget to use: sudo chmod +x vuln to make your file executable

Interesting! We should understand the %p is being used for pointer address

This is great because we are able to know the addresses into the stack. Fuzzing or brute-forcing will be useful to know about the memory and other useful information.

We gotten the source code, but let me remind that you will not always get the source code, you should debug it. GDB, radare2 and cutter would be superb.

Let me check the source code what we have.

  1. When we look at the main function there is noting interesting but we have a function called vuln()
  2. BUFSIZE and FLAGSIZE have been given but we are not interested
  3. When we check the function called vuln() we know that vulnerability occurs however.
  4. We should consider on printf(story) because there is not parameters given.

Wrong:

printf(story);

Right:

printf(“%s”,story);

The first sample interprets story as a format string, and parses any formatting instructions it may contain. The second sample simply prints a string to the screen, the first sample has not been coded well, as a programmer perspective we should know that absence of format specifiers in the string is identical, which makes it easy for the mistake to go unnoticed by the developer.

We know that this binary is vulnerable however, we are going to check this file with the command checksec

checksec : is a bash script which controls whether; PIE, Canary, ASLR,RELRO is present or not. I will not explain what these security mitigations do respectively you can check on internet.

Awesome! NX is enabled and this means:

The abbreviation NX stands for non-execute or non-executable segment. It means that the application, when loaded in memory, does not allow any of its segments to be both writable and executable.

You can also check via GDB:

We can also see that its 32 bit:

In order to read the flag we will exploit this file

  1. I used %p (pointer address)
  2. I used %s (string into the stack)
  3. I used %10$s (the tenth place into the stack)

There are two methods to solve this CTF:

  1. We can use a script to brute-force any string into the stack (%s)
  2. We can use %x (hex) to also bruteforce, but we need to convert it to string to be able to read it.

As you can see above it gives us different output. So, this means that we might be able to get the flag:

When I had solved this challenge I did use a python script.

1.I know that when I type %s that it gives us different output. I ranged from 0 to 60 to fuzz it

In order to make it computer-readable, we should encode it to utf-8.

2. I definitely recommend to exploiters to use pwntools(https://docs.pwntools.com/en/stable/) which makes it easy to use with binaries.

I am creating a flag.txt to see whether it works or not:

I am now fuzzing:

As you can see that inside the flag “leaked” is given to us.

Let me try remotely:

Wohoo, we get the flag!

I hope you understood this vulnerability, When I read about uncontrolled format string vulnerability, it was not easy for me to fully understand.

Summary

I want to concise this blog with more links and YT videos which you can provide from it and having a better understanding:

LiveOverflow: https://youtu.be/0WvrSfcdq1I

John-Hammond: https://www.youtube.com/watch?v=rkoP2mtwFNI

OWASP: https://owasp.org/www-community/attacks/Format_string_attack

Wikipedia: https://en.wikipedia.org/wiki/Uncontrolled_format_string

Ben-Greenberg: https://www.youtube.com/watch?v=HyGDezTO4aM

Thank you for spending your valuable time to read this blog/write-up

~ 0xcd4

More blogs and write-ups will be showing up in my channel. Stay tuned!

You can follow me on:

LinkedIn: https://www.linkedin.com/in/ahmetgoker/

Instagram: https://instagram.com/0xcd4_

Twitter: https://twitter.com/TurkishHoodie_

GitHub: https://github.com/0xCD4

--

--

Ahmet Göker
Ahmet Göker

Written by Ahmet Göker

Full stack Reverser | Linux-Kernel | Windows API

No responses yet