Pocket Tanks Deluxe vs Format String (BOF)

Today I will show you a format string vulnerability that I found on pocket tanks deluxe. This type of weakness can be very dangerous if well handled. In fact is possible to cause a remote buffer overflow on the victim machine and maybe a shell injection to take the control of remote pc.

In the first picture you can see the format string (fs) command that I sent to the victim host, something like


whitout double quote obviously. This fs was made to check if there is any chance to write the registers.

The image above is showing you the fs output on victim pc, I’ve highlighted the interesting parts in yellow. As you can see i put four “A” in the beginning of the format string, the hex value for such char is “41” (ascii table), so now we know the exact position to write the EAX register.

In the next  step we needs only to change a bit of  our format string adding the fs command “%n” at the end of the string


This parameter allow us to write arbitrary address into the stack, if you look at the picture, in the red square, you should see that the actual EAX value is “41414141” so we finally gained the access to EAX causing a Buffer Over Flow (BOF).

The last move should be the conquer of  ECX register to obtain the full control of the program flow, I’ve played a bit with the “field width” to write some value on ECX but unfortunately i get no success, the target require  further investigations.

To avoid the problem is necessary to fix the format string parameter passed to sprintf function, i’ve already report the vulnerability to the author. I hope he will fix such threat as soon as possible.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s