Format string attack - jump to shell on x64

Question

How to exploit printf format string vulnurability on 64 bit system with NX enabled?

In this code example, what could you do to get a shell?

void f(char *buf) {
  printf(buf);
  exit(0);
}

int main() {
  char buf[1024];
  scanf("%1024s", buf);
  f(buf);
  return 0;
}

I think that because of NX and lack of obvious place to jump (there is no execve(/bin/bash... anywhere in the code) it has to be a return-to-libc attack, but where to jump?

I belive it is possible to overwrite GOT entry of exit to jump to arbitrary location, for example execve or system, but how to set proper arguments in registers? Search the binary for ROP chain and jump there?

Or is there some other way to get a shell out of this?

https://www.owasp.org/index.php/Format_string_attack – Evan Carslake Apr 02 '17 at 23:29 — Evan Carslake, Apr 02 '17 at 23:29

score 0 · Answer 1 · answered Apr 28 '17 at 19:54

On top of all you've said yourself, nowadays most printf functions don't support the %n marker used to exploit format strings, so that attack technique is kind of dead.

It might very well be unexploitable in today's scene. So unless this is a exercise in format string exploitation or a capture the flag type of thing I suggest you focus on more up-to-date exploitation techniques.

Format string attack - jump to shell on x64

1 Answers1