Leaking Data - printf() - Chrono's Cyber Chronicles

# Leaking Data ## Leaking Memory Memory can be leaked by using: - `%c`: read a char off the stack. - `%d, %i, %x`: read an int (4 bytes) off the stack. - `%x`: read an int (4 bytes) in hex. - `%s`: dereference a pointer and read out bytes until a null byte. ## Controlling *how* much to leak There are a few size parameters that can be used: - `%x`: leaks 4 bytes. - `%hx`: leaks 2 bytes. - `%hhx`: leaks 1 byte. - `%lx`: leaks 8 bytes. - `%7$x`: prints the 7th parameter (on the stack). - The `

operator within the format string is used to specify what parameter we are interested in! - The above instruction is to print the 7th parameter as a hex value! - ![](my_secret_value.png) ## Demo ![](format_string_demo_1.png) ## Non-Trivial Format String Vulnerabilities Format strings are sometimes: - Dynamically generated. - Used for internal logic, as oppose to i/o functions, like `sprintf`, `snprintf`, and `sscanf`. - Used for logging `fprintf`. - Used for input `scanf`. All are exploitable.