4

I have simple C program:

char user_input[100];
scanf("%s", user_input);
printf(user_input);

It is my understanding this represents security vulnerability; e.g. inputing a bunch of %x will print out the stack's content.

But how could one print a chosen memory location?

I read that:

\x10\x01\x48\x08_%08x.%08x.%08x.%08x.%08x|%s|

Should be dumping the memory's content at the location 0x08480110 from this paper. But instead, it is printing out the very next 4bytes to the format string on the stack. I'm trying to understand why.

Improve this question
1
  • 7
    This is a forest of trees question, input more than 99 characters to invoke a buffer overflow. The Little Bobby Tables story of not sanitizing input. Commented Mar 3, 2012 at 19:11

2 Answers 2

Reset to default
2

The format string itself will be on the stack (as you've declared user_input as a local variable). So if you walk the stack far enough (which is what the %08x force printf to do), then you will eventually arrive at the beginning of the format string. %s tells printf to read an address from the stack, and then print the string found at that location. So it reads the first 4/8 bytes of the format string, and uses those as the address.

Of course, for this to work, you need to know exactly how far to read through the stack in order to hit the format string. So you may need to adjust the number of %08x.

Also, a user entering \x10 at run-time is not the same as a string literal in your source code that contains \x10...

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Is the format string not lower in memory than user_input is? Also, I understand that %x "walks the stack", is there a way to not have the entire content of the stack printed out, i.e. A way to walk the stack up to the format string which will use the first 4 bytes as the address it has to read from the stack, but, without printing out everything in between?
@Pi_: It depends. On x86, the stack typically grows downwards (so printf's stack frame will be at a lower address than the caller's stack frame).
NOTE: I found that the input "%n$x" where n is an integer is going through the first n-1 iterations without printing out the result (i.e. it is popping the n-1 iterations and directly goes to the n's iteration)
0

This is explained in great detail in Exploiting Format String Vulnerabilities.

If you want a picture, see Section 4.4 of these lecture notes.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.