scanf Bypasses

Sometimes you want scanf to not read anything, but continue standard execution. By this I mean that it takes your input, but it doesn't store it in memory, leaving the stack or heap untouched.

This might be because you have a sequential or iterative OOB write, but there is a canary in the way. Alternatively, the location you are writing to is uninitialized but the data gets printed back and you want to leak pointers this way (e.g. Control Room on Hack The Box).

So, here are a few inputs for different specifiers that help bypass this! Please do let me know of any more.

Scanf SpecifierBypass

%d, %ld

negative sign -

%f, %lf

decimal point/full stop .

Last updated