root-me:Format string bug

I’d stayed away from pwn for several months because of my own fucking thoughts.
These days i was dived into ICS program assignment again and it’s make me so gloomy.
To get more funny,the article appeared.
The article is aimed at summarizing the general way to exploit format string bugs.
All the challenges could be found on


EN – Format Bugs – Exploiting format string



ELF x86 – Format string bug basic 1

It is the time i feel i am very stupid…Let’s see the code:

It’s extremely simple,right?
We know the buffer is always on the stack,no matter how the stack changed
so we just print enough stack frame,
then adjust them into little-endient,
transfer them into ascii,
and the printable characters are our answer.

A wonderful script from Internet:

ELF x86 – Format string bug basic 2

What we should notice is that character ‘$’ must be escaped with ‘\’

the push order of the params of printf(),for example:

the stack layout is:


As we see,AAAA(41414141) has been recorded at the ninth location after AAAA
So we have a methond to write 0xdeadbeef to aim address:
let it record the check address,write the aim value to check address use %?$n

%?$n:the length of last output as input,write to ?th param

After this,its layout will be:


0xdeadbeef is too large when as a decimal value,we have to devide it into 0xbeef and 0xdead.The machine is little-endient,so 0xbeef is at the ninth one and 0xdead is at the tenth one.
h means ‘half of machine word’,the machine word of training machine is 32 bits.


ELF x86 – Format string bug basic 3

no idea yet

2 thoughts on “root-me:Format string bug

  1. U r so international

    1. SpeakSoftlyLove
      SpeakSoftlyLove 2018年2月17日 at 20:13


Leave a Comment

电子邮件地址不会被公开。 必填项已用*标注