Vulnerability Development mailing list archives
Re: [Format String vulnerabilities]
From: Gerardo Richarte <gera () corest com>
Date: Fri, 28 May 2004 16:34:41 -0300
Surely however the format string *itself* isn't passed on the stack but a pointer to the format string. therefore the %x modifer would return a hex representation of the address pointing to the string, *not* a hex representation of the string contents?
Everything you said is correct, except for 2 things: . the fact that the format string itself is not in the stack. This is actually why there is a buf[1024] and a strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack. . the idea that you will be able to print the address of the format string, because it's an argument to printf: yes, the address to the format string is an argument to printf, and yes, it is in the stack. However, it's the first argument to printf, and with the format string you can print starting from the second. the code is:
fmt1.c ---------------------------------------------------- int main(int argc, char *argv[]) { char buf[1024]; strncpy(buf, argv[1], sizeof(buf));printf(argv[1]); printf("\n");}------------------------------------------------------------
gera
Current thread:
- [Format String vulnerabilities] auto198368 (May 22)
- Re: [Format String vulnerabilities] Frank Knobbe (May 29)
- Re: [Format String vulnerabilities] Gerardo Richarte (May 29)
- RE: [Format String vulnerabilities] Chris Eagle (May 29)
- <Possible follow-ups>
- Re: [Format String vulnerabilities] DownBload (May 23)