Uncontrolled format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as a string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in the memory. We could also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.
Let's try to understand this further with the following piece of sample code:
Now, go ahead and compile the code, disabling the inbuilt protection as shown:
gcc formatString.c -o formatString
Note that the print function takes the first parameter as the format string...