Exploiting Format String vulnerabilities tutorial - pwn106 - PWN101 | TryHackMe

Understanding the format string vulnerability step by step in this thorough tutorial explaining its very foundations, the underlying concepts. How do format string vulnerabilities happen, why and how can we abuse them. Format String vulnerabilities allow an attacker to both leak memory and corrupt it by writing arbitrary values. In this video we will learn how to leak memory by abusing a Format String vulnerability, aside from understanding what is happening internally. Step-by-step tutorial solving pwn106 from PWN101 binary exploitation room on TryHackMe.

Golden Format String papers and posts:
- Defcon Quals: babyecho (format string vulns in gory detail) https://blog.skullsecurity.org/2015/defcon-quals-babyecho-format-string-vulns-in-gory-detail
- Exploiting Format String Vulnerabilities (scut / team teso) https://cs155.stanford.edu/papers/formatstring-1.2.pdf
- Format String Exploitation tutorial by Saif El-Sherei https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf
- Exploit 101: Format Strings https://axcheron.github.io/exploit-101-format-strings/
- Format String Vulnerability (Syracuse University) https://web.ecs.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
- Lab 1: Format Strings https://cs-uob.github.io/COMSM0049/labs/LAB1.html

My post about 32-bit format string:
- 247CTF - Confused Environment Read: https://razvioverflow.github.io/247ctf/confused-environment-read.html

Wikipedia printf format string: https://en.wikipedia.org/wiki/Printf_format_string
cplusplus.com printf: https://www.cplusplus.com/reference/cstdio/printf/

PWN101 Room: https://tryhackme.com/room/pwn101

Binary Exploitation PWN101 Playlist: https://www.youtube.com/playlist?list=PLchBW5mYosh_F38onTyuhMTt2WGfY-yr7
Binary Exploitation PWN101 Webpage: https://razvioverflow.github.io/tryhackme/pwn101

00:00 - Intro
00:12 - Checking binary protections
00:43 - Executing the binary
01:16 - Spotting the vuln: Format String
01:48 - Format String vulnerability
02:41 - Best Format String exploitation resources
04:53 - Explaining Format String vulnerability
07:25 - Playing with an example
07:54 - Testing and understanding the vulnerability
11:35 - Debugging the vulnerability
12:51 - Calling convention for 64-bit architectures
14:00 - Understanding the vulnerability
18:30 - Format specifiers and sub-specifiers
19:45 - Debugging again
22:07 - Recap
23:23 - Positional argument
25:50 - Leaking the toy secret
26:59 - Differences 32 and 64 bits
27:30 - Disassembling the binary
27:55 - Spotting the vulnerability
29:23 - Writing the exploit
31:50 - Spotting the position of the flag
32:30 - Exploiting locally
34:20 - Exploiting remotely
34:55 - Reading the flag
35:15 - Outro[*]

Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG