On Thu, Apr 05, 2001 at 01:12:18PM -0700, Richard Henderson wrote:
>
> If the target uses fp registers for fp data, and integer registers for
> pointer data, or data registers for integer data and address registers
> or pointer data, or .... Then you can still feed uninitialized values
> to printf by having a type mismatch between the format string and the
> actual parameters. Multiple sets of counts don't do the job because the
> calling convention might leave holes in the registers that it uses.

Hm, but can you exploit that in the real world? My sketchy idea of
printf attacks is that they all involve careful construction of the
input string in order to get %n to write a magic value over
e.g. printf's own return address. It seems unlikely to me that you
could do so by changing % escapes that were expected to be there.

Also, the normal case of an exploitable printf has no arguments after
the format string. A simple count will nail that one no matter what
the attacker tries to make it look for.

zw

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]