abelrguezr/format-string-exploitation
skills/binary-exploitation/format-strings/format-strings-template/SKILL.md
How to exploit format string vulnerabilities in C binaries. Use this skill whenever the user mentions format string vulnerabilities, printf vulnerabilities, GOT/PLT overwrites, or needs to exploit a binary with format string bugs. This skill automates finding the format string offset, crafting payloads, and overwriting GOT entries to redirect function calls (e.g., printf → system) for code execution.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills format-string-exploitationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:09 AM17.8s2 files scanned
SKILL.md
- name:
- format-string-exploitation
- description:
- How to exploit format string vulnerabilities in C binaries. Use this skill whenever the user mentions format string vulnerabilities, printf vulnerabilities, GOT/PLT overwrites, or needs to exploit a binary with format string bugs. This skill automates finding the format string offset, crafting payloads, and overwriting GOT entries to redirect function calls (e.g., printf → system) for code execution.
Format String Exploitation
A skill for exploiting format string vulnerabilities in C binaries using pwntools.
When to Use This Skill
Use this skill when:
- You're given a binary with a format string vulnerability (e.g.,
printf(user_input)without format specifiers) - You need to leak stack memory or overwrite GOT entries
- You want to redirect function calls (printf → system) for shellcode execution
- You're working on CTF challenges involving format string bugs
Quick Start
-
Configure the connection in
scripts/format_string_exploit.py:- Set
LOCAL = Truefor local testing - Set
REMOTETTCP = Truefor remote TCP - Set
REMOTESSH = Truefor SSH (e.g., OverTheWire)
- Set
-
Run the exploit:
python scripts/format_string_exploit.py -
Review the output - the script will:
- Automatically find the format string offset
- Overwrite GOT entries
- Spawn an interactive shell
How Format String Exploitation Works
The Vulnerability
Format string vulnerabilities occur when user input is passed directly to format functions like printf(), fprintf(), or sprintf() without a format string argument:
// VULNERABLE
char *input = get_user_input();
printf(input); // User can use %x, %s, %n to read/write memory
// SAFE
printf("%s", input); // Format string is controlled
Attack Phases
- Find the offset: Determine which position in the format string corresponds to your input
- Leak memory: Use
%xor%pto read stack values - Overwrite GOT: Use
%nto write addresses to memory - Redirect execution: Point printf GOT entry to system PLT
- Trigger shell: Find where printf is called with controlled input
Configuration Options
| Variable | Description | Default |
|----------|-------------|----------|
| LOCAL | Run binary locally | True |
| REMOTETTCP | Connect via TCP | False |
| REMOTESSH | Connect via SSH | False |
| GDB | Attach GDB for debugging | False |
| LOCAL_BIN | Path to vulnerable binary | "./tyler" |
| PREFIX_PAYLOAD | Bytes to prepend to payload | b"" |
| SUFFIX_PAYLOAD | Bytes to append to payload | b"" |
| MAX_LENTGH | Maximum payload length | 999999 |
Example Usage
Local Binary
LOCAL = True
LOCAL_BIN = "./vulnerable_binary"
Remote TCP
REMOTETTCP = True
# Update in connect_binary():
P = remote('10.10.10.10', 1338)
SSH (OverTheWire)
REMOTESSH = True
REMOTE_BIN = "./tyler"
# SSH credentials configured in connect_binary()
Advanced: Loop Back for Extra Execution
Some binaries require looping back to the vulnerability for a second exploitation. Uncomment in the script:
P_FINI_ARRAY = ELF_LOADED.symbols["__init_array_end"]
INIT_LOOP_ADDR = 0x8048614 # Address to return to
format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
Troubleshooting
Offset not found
- Increase the search range in
get_formatstring_config() - Check if the binary has ASLR enabled (
setarch -R) - Verify the binary actually has a format string vulnerability
GOT overwrite fails
- Check if the binary is PIE (Position Independent Executable)
- Verify GOT entry is writable
- Ensure you're writing the correct address
Shell doesn't spawn
- Find where printf is called with user-controlled input
- The input should contain
/bin/shor similar - Check if the binary has a second call to printf after GOT overwrite
References
- HackTricks Format Strings
- pwntools FmtStr
- Format String Attacks - Phrack 59
Script Files
scripts/format_string_exploit.py- Main exploitation script
Run the script after configuring your connection settings. The script will automatically:
- Find the format string offset
- Overwrite printf GOT with system PLT
- Spawn an interactive shell
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026