I was writing a paper on format string vulnerabilities, but while doing some additional research i’ve found the following paper which already explains it all, so i decided to stop writing about format string vulnerabilities and put a link to this paper here:

here’s the paper: /http://doc.bughunter.net/format-string/exploit-fs.html

Exploiting Format String Vulnerabilities

Written by : scut / team teso

* Introduction
* Comparison: Buffer Overflows and Format String Vulnerabilities
* Statistics: important format string vulnerabilities in 2000
* The format functions
* How does a format string vulnerability look like ?
* The format function family
* Use of format functions
* What exactly is a format string ?
* The stack and its role at format strings
* Format string vulnerabilities
* What do we control now
* Crash of the program
* Viewing the process memory
* Overwriting of arbitrary address with arbitrary data
* Variations of Exploitation
* Short Write
* Stack Popping
* Direct Parameter Access
* Brute Forcing
* Response Based Brute Force
* Blind Brute Forcing
* Special Cases
* GOT overwrite
* Other targets
* Return into LibC
* Multiple Print
* Format string within the Heap
* Special considerations
* Tools
* ltrace, strace
* GDB, objdump
* References