View previous topic :: View next topic |
Author |
Message |
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Wed Feb 13, 2013 10:54 pm Post subject: format string vuln., question about architecture[SOLVED] |
|
|
Hello,
I'm trying to play with format string vulnerability and there are a few things I'm not sure how to explain. Consider this sample of C code:
prog1.c: | #include <stdio.h>
int main(int argc, char *argv[]){
char buffer[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
printf(argv[1]);
return 0;
}
|
obviously, buffer is somewhere in the stack, we can try to find it,
on x86: | $ ./prog1 $(perl -e 'print "%p-"x10')
0x80495bc-0x434241a8-0x47464544-0x4b4a4948-0x4f4e4d4c-0x53525150-0x57565554-0x5a5958-0xbffffcd0-0xbffffd28-
$ # from this, buffer 'starts'(?) at the second arguments of printf(with the fmt string vuln)
$ ./prog1 '%2$x-%3$x-%4$x-%5$x-'
434241a8-47464544-4b4a4948-4f4e4d4c-
$ ./prog1 '%2$c-%3$c-%4$c-%5$c-'
¨-D-H-L- |
on x86_64: | $ ./prog1 $(perl -e 'print "%p-"x10')
0x7fff95e39848-0x7fff95e39860-(nil)-0x7fcbea23a320-0x7fcbea24d310-0x7fff95e39848-0x200400580-\
0x4847464544434241-0x504f4e4d4c4b4a49-0x5857565554535251-
$ # from this, buffer 'starts'(?) at the eighth arguments of printf(with the fmt string vuln)
$ ./prog1 '%8$x-%9$x-%10$x-%11$x-'
44434241-4c4b4a49-54535251-5a59-
$ # some parts are missing, arguments now occupies 8 bytes:
$ ./prog1 '%8$lx-%9$lx-%10$lx-%11$lx-'
4847464544434241-504f4e4d4c4b4a49-5857565554535251-5a59-
$ ./prog1 '%8$c-%9$c-%10$c-%11$c-'
A-I-Q-Y-
|
on x86, D,H and L are separated by 4 characters/bytes, on x86_64, A,I,Q,Y by 8 characters/bytes, I can clearly see the link with 32/64bits architecture, but what I don't understand is:
on x86, why doesn't ./prog1 '%2$c-%3$c-%4$c-%5$c-' prints A-B-C-D or rather D-C-B-A (little-endian)
on x86_64, why doesn't ./prog1 '%8$c-%9$c-%10$c-%11$c-' prints H-G-F-E
If I use the '%c', shouldn't printf only take the next byte and not the next four bytes on x86(similar question of x86_64!)?
I think I may be missing the point how memory is segmented/aligned or something, if you think of anything to make this more clear to me, please just say!
thanks in advance! _________________ The End of the Internet!
Last edited by truc on Thu Feb 14, 2013 8:27 am; edited 1 time in total |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10587 Location: Somewhere over Atlanta, Georgia
|
Posted: Wed Feb 13, 2013 11:19 pm Post subject: |
|
|
Because characters when passed as parameters are promoted to integers. So are shorts. I think this is even stated in the original K&R C book.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Thu Feb 14, 2013 8:26 am Post subject: |
|
|
John R. Graham wrote: | Because characters when passed as parameters are promoted to integers. So are shorts. I think this is even stated in the original K&R C book.
- John |
I thought I was missing something big, but this simply explains it!
Thanks a lot John R. Graham! _________________ The End of the Internet! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|