Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

[Format String vulnerabilities]

From: <auto198368 () hushmail com>
Date: Sat, 22 May 2004 05:48:58 -0700
Hello vuln-dev,
 Query regarding format string vulnerabilities..

  The majority of tutorials give an example of the following form:

(taken from NN-formats.txt [NOP Ninjas - Format String Technique])
fmt1.c ----------------------------------------------------

int main(int argc, char *argv[]) {
  char buf[1024];

  strncpy(buf, argv[1], sizeof(buf));
  printf(argv[1]);          
  printf("\n");
}
------------------------------------------------------------  

sloth@sin$ ./fmt 'AAAA %x'
AAAA 41414141

Surely however the format string *itself* isn't passed on the stack
but a pointer to the format string. therefore the %x modifer would
return a hex representation of the address pointing to the string, *not*
a hex representation of the string contents?

on my linux/i386 system this produes:

root@xpl:~# ./fmt1 'AAAA %x'
AAAA bffffbec

Similarly a printf("AAAA %x"); style format string would print out the
hex representation of the ELF .rodata section address where the string
is stored not any values contained within.

Can anybody clarify all of this?

Much appreciated,
vxpl-





Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Previous By Date Next
Previous By Thread Next

Current thread: