|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Format String vulnerabilities]
auto198368
hushmail.com
Date: Sat May 22 2004 - 07:48:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello vuln-dev,
Query regarding format string vulnerabilities..
The majority of tutorials give an example of the following form:
(taken from NN-formats.txt [NOP Ninjas - Format String Technique])
fmt1.c ----------------------------------------------------
int main(int argc, char *argv[]) {
char buf[1024];
strncpy(buf, argv[1], sizeof(buf));
printf(argv[1]);
printf("\n");
}
------------------------------------------------------------
slothsin$ ./fmt 'AAAA %x'
AAAA 41414141
Surely however the format string *itself* isn't passed on the stack
but a pointer to the format string. therefore the %x modifer would
return a hex representation of the address pointing to the string, *not*
a hex representation of the string contents?
on my linux/i386 system this produes:
rootxpl:~# ./fmt1 'AAAA %x'
AAAA bffffbec
Similarly a printf("AAAA %x"); style format string would print out the
hex representation of the ELF .rodata section address where the string
is stored not any values contained within.
Can anybody clarify all of this?
Much appreciated,
vxpl-
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]