Project 5: Format String Vulnerability Demonstrator

A comprehensive demonstration of format string attacks—reading stack values, reading arbitrary memory, writing to arbitrary memory, and achieving code execution.

Quick Reference

Attribute Value
Primary Language C
Alternative Languages Python (for exploits)
Difficulty Level 3: Advanced
Time Estimate 2 weeks
Knowledge Area Exploit Awareness / Format Strings
Tooling GDB, pwntools, printf source
Prerequisites Project 3, understanding of stack layout

What You Will Build

A comprehensive demonstration of format string attacks—reading stack values, reading arbitrary memory, writing to arbitrary memory, and achieving code execution.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Understanding printf internals → maps to variadic functions, va_list
  • Leaking stack values → maps to %x and %p usage
  • Arbitrary read with %s → maps to controlling address on stack
  • Arbitrary write with %n → maps to byte-by-byte writing

Key Concepts

  • Variadic Functions in C: “C Programming: A Modern Approach” Ch. 26
  • Format String Exploitation: “Hacking: Art of Exploitation” Ch. 5
  • RELRO and GOT Protection: Hardening ELF binaries article

Real-World Outcome

$ ./format_demo
Format String Vulnerability Demonstrator
-----------------------------------------

[Level 1: Stack Leak]
Enter format string: %x.%x.%x.%x.%x
Output: deadbeef.cafebabe.12345678.ffff0000.41414141
  → Leaked 5 values from stack!

[Level 2: Arbitrary Read]
Target address: 0x404040 (contains "SECRET_KEY")
Enter format string: [crafted payload with address]
Output: SECRET_KEY
  → Read arbitrary memory!

[Level 3: Arbitrary Write]
Target variable at 0x404060 = 0
Enter format string: [crafted payload with %n]
Target variable now = 1337
  → Wrote arbitrary value!

[Level 4: Code Execution]
GOT entry for exit() at 0x404018
win() function at 0x401337
Enter format string: [GOT overwrite payload]
  → Calling exit()... but it's been hijacked!
You win! Format string exploitation complete.

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_SECURE_C_AND_EXPLOIT_AWARENESS.md
  • “Hacking: The Art of Exploitation” by Jon Erickson