Re: [Format String vulnerabilities]

[Gerardo Richarte <gera () corest com>]

> Surely however the format string *itself* isn't passed on the stack
> but a pointer to the format string. therefore the %x modifer would
> return a hex representation of the address pointing to the string, *not*
> a hex representation of the string contents?

        Everything you said is correct, except for 2 things:

        . the fact that the format string itself is not in the stack. This is actually why there is a buf[1024] and a 
strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.

        . the idea that you will be able to print the address of the format string, because it's an argument to printf: yes, 
the address to the format string is an argument to printf, and yes, it is in the stack. However, it's the first argument to 
printf, and with the format string you can print starting from the second.

        the code is:

> fmt1.c ----------------------------------------------------
>
> int main(int argc, char *argv[]) {
>   char buf[1024];
>
>   strncpy(buf, argv[1], sizeof(buf));
>   printf(argv[1]);          
>   printf("\n");
> }
> ------------------------------------------------------------  

        gera