Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
format string vuln., question about architecture[SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Wed Feb 13, 2013 10:54 pm    Post subject: format string vuln., question about architecture[SOLVED] Reply with quote

Hello,

I'm trying to play with format string vulnerability and there are a few things I'm not sure how to explain. Consider this sample of C code:
prog1.c:
#include <stdio.h>

int main(int argc, char *argv[]){
        char buffer[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
        printf(argv[1]);
        return 0;
}


obviously, buffer is somewhere in the stack, we can try to find it,
on x86:
$ ./prog1 $(perl -e 'print "%p-"x10')
0x80495bc-0x434241a8-0x47464544-0x4b4a4948-0x4f4e4d4c-0x53525150-0x57565554-0x5a5958-0xbffffcd0-0xbffffd28-

$ # from this, buffer 'starts'(?) at the second arguments of printf(with the fmt string vuln)
$ ./prog1 '%2$x-%3$x-%4$x-%5$x-'
434241a8-47464544-4b4a4948-4f4e4d4c-

$ ./prog1 '%2$c-%3$c-%4$c-%5$c-'
¨-D-H-L-


on x86_64:
$ ./prog1 $(perl -e 'print "%p-"x10')
0x7fff95e39848-0x7fff95e39860-(nil)-0x7fcbea23a320-0x7fcbea24d310-0x7fff95e39848-0x200400580-\
0x4847464544434241-0x504f4e4d4c4b4a49-0x5857565554535251-

$ # from this, buffer 'starts'(?) at the eighth arguments of printf(with the fmt string vuln)
$ ./prog1 '%8$x-%9$x-%10$x-%11$x-'
44434241-4c4b4a49-54535251-5a59-

$ # some parts are missing, arguments now occupies 8 bytes:
$ ./prog1 '%8$lx-%9$lx-%10$lx-%11$lx-'
4847464544434241-504f4e4d4c4b4a49-5857565554535251-5a59-

$ ./prog1 '%8$c-%9$c-%10$c-%11$c-'                                                                                                                         
A-I-Q-Y-



on x86, D,H and L are separated by 4 characters/bytes, on x86_64, A,I,Q,Y by 8 characters/bytes, I can clearly see the link with 32/64bits architecture, but what I don't understand is:

on x86, why doesn't ./prog1 '%2$c-%3$c-%4$c-%5$c-' prints A-B-C-D or rather D-C-B-A (little-endian)
on x86_64, why doesn't ./prog1 '%8$c-%9$c-%10$c-%11$c-' prints H-G-F-E

If I use the '%c', shouldn't printf only take the next byte and not the next four bytes on x86(similar question of x86_64!)?


I think I may be missing the point how memory is segmented/aligned or something, if you think of anything to make this more clear to me, please just say!

thanks in advance!
_________________
The End of the Internet!


Last edited by truc on Thu Feb 14, 2013 8:27 am; edited 1 time in total
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Feb 13, 2013 11:19 pm    Post subject: Reply with quote

Because characters when passed as parameters are promoted to integers. So are shorts. I think this is even stated in the original K&R C book.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Thu Feb 14, 2013 8:26 am    Post subject: Reply with quote

John R. Graham wrote:
Because characters when passed as parameters are promoted to integers. So are shorts. I think this is even stated in the original K&R C book.

- John



I thought I was missing something big, but this simply explains it!

Thanks a lot John R. Graham!
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum