Skip to main content



Format Strings: GOT table overwrite to change Control Flow Remotely on ASLR

Previously we saw how we can use format strings to leak memory and return to plt to bypass ASLR. In this article we will see what more can we do with format string exploits.

We had format string vulnerability in the printf function, let's head to manpage of printf. Conversion specifiers A character that specifies the type of conversion to be applied. The conversion specifiers and their meanings are: n The number of characters written so far is stored into the integer pointed to by the corresponding argument. That argument shall be an int *, or variant whose size matches the (optionally) supplied integer length modifier. No argument is converted. (This specifier is not supported by the bionic C library.) The behavior is undefined if the conversion specification includes any flags, a field width, or a precision.Last time we used '%p' conversion specifier with printf to leak memory. As we can see in man page '%n' can be used to write nu…

Latest Posts

Return to PLT, GOT to bypass ASLR remotely

Format String Exploits: Defeating Stack Canary, NX and ASLR Remotely on 64 bit

Make Stack Executable again