# Format Strings
http://www.cplusplus.com/reference/cstdio/printf/?kw=printf

- `printf()` in C/C++ can be used to print fixed strings, variables in many different formats
- the following program uses `printf()` incorrectly!
- "Hello World\n" string technically is the format string (devoid of special escape sequences called format parameters)
- format parameters begins with a `%` sign; for each format parameter (%) function expects arguments
- format specifier follows this prototype:
`%[flags][width][.precision][length]specifier`

- following parameter requires values as arguments

| Parameter | Output Type |
| --- | --- |
| %d | Decimal |
| %u | Unsigned decimal |
| %x | Hexadecimal |

- the following parameters expect pointers as arguments

| Parameter | Output Type |
| --- | --- |
| %s | String |
| %n | Number of bytes written so far |
| %p | Memory address |

In [2]:
#include <stdio.h>

int main() {
    printf("Hello World!\n");
    return 0;
}

Hello World!


In [6]:
// fmt_strings.c

#include <stdio.h>
#include <string.h>

int main() {
   char string[10];
   int A = -73;
   unsigned int B = 31337;

   strcpy(string, "sample");

   // Example of printing with different format string
   printf("[A] Dec: %d, Hex: %x, Unsigned: %u\n", A, A, A);
   printf("[B] Dec: %d, Hex: %x, Unsigned: %u\n", B, B, B);
   printf("[field width on B] 3: '%3u', 10: '%10u', '%08u'\n", B, B, B);
   printf("[string] %s  Address %p\n", string, string);

   // Example of unary address operator (dereferencing) and a %x format string
   printf("variable A is at address: %p\n", &A);
}

[A] Dec: -73, Hex: ffffffb7, Unsigned: 4294967223
[B] Dec: 31337, Hex: 7a69, Unsigned: 31337
[field width on B] 3: '31337', 10: '     31337', '00031337'
[string] sample  Address 0x7fff5c15086e
variable A is at address: 0x7fff5c150868


## The Format String Vulnerability
- using `printf(string)` instead of `printf("%s", string)`

In [7]:
// fmt_vuln.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
   char text[1024];
   static int test_val = -72;

   if(argc < 2) {
      printf("Usage: %s <text to print>\n", argv[0]);
      exit(0);
   }
   
   strcpy(text, argv[1]);

   printf("The right way to print user-controlled input:\n");
   printf("%s", text);


   printf("\nThe wrong way to print user-controlled input:\n");
   printf(text);

   printf("\n");

   // Debug output
   printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val);

   exit(0);
}

   printf(text);
          ^~~~
/var/folders/4f/1pkkv7h960j42p0ppgk9n4ywjr6t_b/T/tmp1fm3cgew.c:22:11: note: treat the string as an argument to avoid this
   printf(text);
          ^
          "%s", 
   printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val);
                            ~~~~                 ^~~~~~~~~


Usage: /var/folders/4f/1pkkv7h960j42p0ppgk9n4ywjr6t_b/T/tmpo7k8lmsi.out <text to print>


In [10]:
! gcc -o fmt_vuln.exe booksrc/fmt_vuln.c
sudo chown root:root ./fmt_vuln.exe
sudo chmod u+s ./fmt_vuln
./fmt_vuln

/var/folders/4f/1pkkv7h960j42p0ppgk9n4ywjr6t_b/T/tmpzm6rel_f.c:1:1: error: expected identifier or '('
! gcc -o fmt_vuln.exe booksrc/fmt_vuln.c
^
1 error generated.
[C kernel] GCC exited with code 1, the executable will not be executed