Graphics Programs Reference
In-Depth Information
0x355
Direct Parameter Access
Direct parameter access is a way to simplify format string exploits. In the
previous exploits, each of the format parameter arguments had to be
stepped through sequentially. This necessitated using several %x format
parameters to step through parameter arguments until the beginning of the
format string was reached. In addition, the sequential nature required three
4-byte words of junk to properly write a full address to an arbitrary memory
location.
As the name would imply, direct parameter access allows parameters to be
accessed directly by using the dollar sign qualifier. For example, % n $d would
access the n th parameter and display it as a decimal number.
p rintf("7th: %7$d, 4th: %4$05d\n", 10, 20, 30, 40, 50, 60, 70, 80);
The preceding printf() call would have the following output:
7 th: 70, 4th: 00040
First, the 70 is outputted as a decimal number when the format param-
eter of %7$d is encountered, because the seventh parameter is 70. The second
format parameter accesses the fourth parameter and uses a field width option
of 05 . All of the other parameter arguments are untouched. This method of
direct access eliminates the need to step through memory until the beginning
of the format string is located, since this memory can be accessed directly.
The following output shows the use of direct parameter access.
reader@hacking:~/booksrc $ ./fmt_vuln AAAA%x%x%x%x
The right way to print user-controlled input:
AAAA%x%x%x%x
The wrong way to print user-controlled input:
AAAAbffff3d0b7fe75fc041414141
[*] test_val @ 0x08049794 = -72 0xffffffb8
reader@hacking:~/booksrc $ ./fmt_vuln AAAA%4\$x
The right way to print user-controlled input:
AAAA%4$x
The wrong way to print user-controlled input:
AAAA41414141
[*] test_val @ 0x08049794 = -72 0xffffffb8
reader@hacking:~/booksrc $
In this example, the beginning of the format string is located at the
fourth parameter argument. Instead of stepping through the first three
parameter arguments using %x format parameters, this memory can be
accessed directly. Since this is being done on the command line and the
dollar sign is a special character, it must be escaped with a backslash. This
just tells the command shell to avoid trying to interpret the dollar sign as a
special character. The actual format string can be seen when it is printed
correctly.
Search WWH ::




Custom Search