Vulnerability Development mailing list archives
[Format String vulnerabilities]
From: <auto198368 () hushmail com>
Date: Sat, 22 May 2004 05:48:58 -0700
Hello vuln-dev, Query regarding format string vulnerabilities.. The majority of tutorials give an example of the following form: (taken from NN-formats.txt [NOP Ninjas - Format String Technique]) fmt1.c ---------------------------------------------------- int main(int argc, char *argv[]) { char buf[1024]; strncpy(buf, argv[1], sizeof(buf)); printf(argv[1]); printf("\n"); } ------------------------------------------------------------ sloth@sin$ ./fmt 'AAAA %x' AAAA 41414141 Surely however the format string *itself* isn't passed on the stack but a pointer to the format string. therefore the %x modifer would return a hex representation of the address pointing to the string, *not* a hex representation of the string contents? on my linux/i386 system this produes: root@xpl:~# ./fmt1 'AAAA %x' AAAA bffffbec Similarly a printf("AAAA %x"); style format string would print out the hex representation of the ELF .rodata section address where the string is stored not any values contained within. Can anybody clarify all of this? Much appreciated, vxpl- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- [Format String vulnerabilities] auto198368 (May 22)
- Re: [Format String vulnerabilities] Frank Knobbe (May 29)
- Re: [Format String vulnerabilities] Gerardo Richarte (May 29)
- RE: [Format String vulnerabilities] Chris Eagle (May 29)
- <Possible follow-ups>
- Re: [Format String vulnerabilities] DownBload (May 23)