Placeholder

In the C programming language, placeholders for format strings are used to specify how data should be formatted when printing or reading with the printf and scanf functions.

Here is the general syntax for a placeholder in a format string:

%[parameter$][flags][width][.precision][length]specifier

Part Description

Part	Description
`parameter`	An optional positive integer that specify the number of the parameter to display .
`flags`	An optional set of characters that specify how the data should be formatted.
`width`	An optional positive integer that specifies the minimum width of the field in which the data will be printed or read.
`precision`	An optional positive integer that specifies the precision of the data being printed or read. The meaning of precision depends on the specifier being used.
`length`	An optional set of characters that specifies the size of the data being printed or read.
`type`	A character that specifies the type of data being printed or read.

parameter

An optional positive integer that specify the number of the parameter to display .

flags

An optional set of characters that specify how the data should be formatted.

width

An optional positive integer that specifies the minimum width of the field in which the data will be printed or read.

precision

An optional positive integer that specifies the precision of the data being printed or read. The meaning of precision depends on the specifier being used.

length

An optional set of characters that specifies the size of the data being printed or read.

type

A character that specifies the type of data being printed or read.

Type field

The Type field can be any of:

Type Description

Type	Description
`d`	Print an integer value in decimal form
`i`	Print an integer value in decimal form
`o`	Print an integer value in octal form
`u`	Print an integer value in unsigned decimal form
`x`	Print an integer value in lowercase hexadecimal form
`X`	Print an integer value in uppercase hexadecimal form
`f`	Print a floating-point value in decimal form
`F`	Print a floating-point value in decimal form
`e`	Print a floating-point value in scientific notation (lowercase `e`)
`E`	Print a floating-point value in scientific notation (uppercase `E`)
`a`	Print a floating-point value in hexadecimal scientific notation (lowercase `p`)
`A`	Print a floating-point value in hexadecimal scientific notation (uppercase `P`)
`g`	Print a floating-point value in either decimal or scientific notation, whichever is shorter
`G`	Print a floating-point value in either decimal or scientific notation, whichever is shorter
`c`	Print a single character
`s`	Print a string of characters (The parameter must be a pointer to a string)
`p`	Print a pointer value
`n`	Print nothing, but writes the number of characters written so far into an integer pointer parameter

d

Print an integer value in decimal form

i

Print an integer value in decimal form

o

Print an integer value in octal form

u

Print an integer value in unsigned decimal form

x

Print an integer value in lowercase hexadecimal form

X

Print an integer value in uppercase hexadecimal form

f

Print a floating-point value in decimal form

F

Print a floating-point value in decimal form

e

Print a floating-point value in scientific notation (lowercase e)

E

Print a floating-point value in scientific notation (uppercase E)

a

Print a floating-point value in hexadecimal scientific notation (lowercase p)

A

Print a floating-point value in hexadecimal scientific notation (uppercase P)

g

Print a floating-point value in either decimal or scientific notation, whichever is shorter

G

Print a floating-point value in either decimal or scientific notation, whichever is shorter

c

Print a single character

s

Print a string of characters (The parameter must be a pointer to a string)

p

Print a pointer value

n

Print nothing, but writes the number of characters written so far into an integer pointer parameter

Parameter field

This field is one of the most important field in the case of Format String exploit

An optional positive integer that specify the number of the parameter to display using this placeholder, allowing the parameters provided to be output multiple times, using varying format specifiers or in different orders.

If any single placeholder specifies a parameter, all the rest of the placeholders MUST also specify a parameter.

printf("%2$d ; %1$d",16,17)
// output : 17 ; 16

Flags field

An optional set of characters that specify how the data should be formatted.

The Flags field can be none or more (in any order) of:

Character Description

Character	Description
- (minus)	Left-align the output of this placeholder. (The default is to right-align the output.)
+ (plus)	Prepends a plus for positive signed-numeric types. (The default doesn't prepend anything in front of positive numbers.)
(space)	Prepends a space for positive signed-numeric types. This flag is ignored if the + flag exists. (The default doesn't prepend anything in front of positive numbers.)
0 (zero)	Data will be padded with `0` to reach the specified field width. If it is not present, the data will be padded with spaces.
# (hash)	Alternate form: For g and G types, trailing zeros are not removed. For f, F, e, E, g, G types, the output always contains a decimal point. For o, x, X types, the text 0, 0x, 0X, respectively, is prepended to non-zero numbers.

- (minus)

Left-align the output of this placeholder. (The default is to right-align the output.)

+ (plus)

Prepends a plus for positive signed-numeric types. (The default doesn't prepend anything in front of positive numbers.)

(space)

Prepends a space for positive signed-numeric types.

This flag is ignored if the + flag exists. (The default doesn't prepend anything in front of positive numbers.)

0 (zero)

Data will be padded with 0 to reach the specified field width. If it is not present, the data will be padded with spaces.

# (hash)

Alternate form: For g and G types, trailing zeros are not removed. For f, F, e, E, g, G types, the output always contains a decimal point. For o, x, X types, the text 0, 0x, 0X, respectively, is prepended to non-zero numbers.

Width field

Another very important field in format string exploitation. This is used to print large amount of character unless the user input has to be short.

The width field specifies the minimum width of the field in which the data will be printed or read. It is an optional positive integer that can be used to control the alignment and padding of the data.

Precision field

The Precision field usually specifies a maximum limit on the output, depending on the formatting type.

Length field

The length field is an optional modifier that can be used to specify the size of the value being printed. It is typically used with integer format specifiers, such as d, o, x, and X, to specify the size of the integer in terms of the number of bytes.

Character	Description
hh	For integer types, causes printf to expect an int-sized integer argument which was promoted from a char.
h	For integer types, causes printf to expect an int-sized integer argument which was promoted from a short.
l	For integer types, causes printf to expect a long-sized integer argument. For floating-point types, this is ignored. float arguments are always promoted to double when used in a varargs call.[4]
ll	For integer types, causes printf to expect a long long-sized integer argument.
L	For floating-point types, causes printf to expect a long double argument.
z	For integer types, causes printf to expect a size_t-sized integer argument.
j	For integer types, causes printf to expect a intmax_t-sized integer argument.
t	For integer types, causes printf to expect a ptrdiff_t-sized integer argument.

Character

Description

For integer types, causes printf to expect an int-sized integer argument which was promoted from a char.

For integer types, causes printf to expect an int-sized integer argument which was promoted from a short.

For integer types, causes printf to expect a long-sized integer argument.

For floating-point types, this is ignored. float arguments are always promoted to double when used in a varargs call.[4]

For integer types, causes printf to expect a long long-sized integer argument.

For floating-point types, causes printf to expect a long double argument.

For integer types, causes printf to expect a size_t-sized integer argument.

For integer types, causes printf to expect a intmax_t-sized integer argument.

For integer types, causes printf to expect a ptrdiff_t-sized integer argument.

Previousfprintf NextData Leak

Last updated 1 year ago