2

I'm studying a security unit and I'm attempting to understand format string attacks. Could somebody please attempt to explain this to me?

The following code is taken from: http://julianor.tripod.com/bc/tn-usfs.pdf:

/*
 * fmtme.c
 *       Format a value into a fixed-size buffer
 */
#include <stdio.h>
int
main(int argc, char **argv)
{
    char buf[100];
    int x;
    if(argc != 2)
        exit(1);
    x = 1;
    snprintf(buf, sizeof buf, argv[1]);
    buf[sizeof buf - 1] = 0;
    printf("buffer (%d): %s\n", strlen(buf), buf);
    printf("x is %d/%#x (@ %p)\n", x, x, &x);
    return 0;
}

As I understand it, the %n format specifier is used to read a specified address back into memory, then when printf pops values off the stack, it should read our address. I can't seem to pull this off.

In the document, the following example is provided:

perl -e 'system "./fmtme", "\x58\x74\x04\x08%d%n"'

Where did \x58\x74\x04\x08%d%n come from?

Improve this question
0

1 Answer 1

Reset to default
3

"\x58\x74\x04\x08%d%n" is the "shell code".

The exploit is explained very carefully in that document. I suppose it expects you to have some understanding of the typical layout of stack frames, which also is explained in the table . Keep in mind that stack addresses typically grows downwards, which means that a function call that "pops" more arguments than was actually passed to it will start reading local variables from the stack frame below its own. This is what this shell code exploits.

It puts an address in the first 4 bytes of buf (because snprintf prints it into there) and then it skips the x variable (from the frame below it) and finally reads the address from the first part of buf (but interpreted as a pointer) and write a value to it, via the %n format code.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.