Format String

This text written by gera is about two tiny tricks that may help speeding up bruteforcing when exploiting format strings bugs.
This paper written by scut explains the nature of format string vulnerabilities. It describes how to find vulnerable C source code, and why format string vulnerabilities are more dangerous than common buffer overflows. Several exploitation techniques are detailled. After reading this article, the reader should be able to exploit almost any kind of format string vulnerability.
This short paper written by lamagra explains what are format bugs, and how to exploit these flaws to run arbitrary code when the attacker can control the content of the format string parameter.
This article shows various techniques that can be used in order to exploit format string vulnerabilities, through various examples.
This paper written by kalou tries to explain how to exploit a printf(userinput) format bug, reported in some recent advisories. The approach is primary, and more precisely does not take into account any existing exploit (wu-ftpd, ...). A general knowledge of C programming and assembler is assumed throughout this article (stack issues, registers, endian storage).
This paper written by riq present a way to deal with these format strings in a generic way within SPARC (and big-endian machines). It may be possible to use a similar technique for i386.
This article written by Seunghyun Seo describes how format string attack can be exploited, in limited situation, on alpha system.