Uncontrolled format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as a string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in the memory. We could also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.

Let's try to understand this further with the following piece of sample code:

Now, go ahead and compile the code, disabling the inbuilt protection as shown:

 gcc formatString.c -o formatString

Note that the print function takes the first parameter as the format string (%s, %c, %d and so on ). In the previous case, argv[1] can be used as a format string and print the content of any memory location. The preceding code is vulnerable. If it had been written as shown, however, the vulnerability would not exist:

Now that we have compiled the application, let's run it with input types that will break and execute the code shown:

Let's break the code with the format string vulnerability as shown:

The preceding screenshot gives a starting point; again, we will leave it to the reader to explore how to exploit this further. It is recommended that you try the same methodology that we discussed in detail previously.