Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: [Format String vulnerabilities]

Re: [Format String vulnerabilities]

From: Gerardo Richarte <gera_at_corest.com>
Date: Fri, 28 May 2004 16:34:41 -0300

> Surely however the format string *itself* isn't passed on the stack
> but a pointer to the format string. therefore the %x modifer would
> return a hex representation of the address pointing to the string, *not*
> a hex representation of the string contents?

        Everything you said is correct, except for 2 things:

        . the fact that the format string itself is not in the stack. This is actually why there is a buf[1024] and a strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.

        . the idea that you will be able to print the address of the format string, because it's an argument to printf: yes, the address to the format string is an argument to printf, and yes, it is in the stack. However, it's the first argument to printf, and with the format string you can print starting from the second.

        the code is:

> fmt1.c ----------------------------------------------------
>
> int main(int argc, char *argv[]) {
> char buf[1024];
>
> strncpy(buf, argv[1], sizeof(buf));
> printf(argv[1]);
> printf("\n");
> }
> ------------------------------------------------------------

        gera
Received on May 29 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos