Home > database >  Why does printf("\x10\x01\x48\x08 %x %x %x %x %s") read from memory address 0x90480110
Why does printf("\x10\x01\x48\x08 %x %x %x %x %s") read from memory address 0x90480110

Time:01-15

I'm taking a class on secure coding and the Format vulnerability. I thought I understood the basics of printf(), but it seems my grasp is more tenuous than I thought.

I'm struggling with understanding:

printf ("\x10\x01\x48\x08 %x %x %x %x %s");

Typically, printf has a a string with format specifier in it and a variable as argument, but there is just one argument here. Here, printf is reading from location 0x90480110 (because the machine is in little endian). Additionally, %x is causing the stack pointer (ESP) to move 4 bytes. So, essentially this like saying ESP - 0x20 (I'm assuming this is a 32-bit machine). Then, %s reads from that address. Is my assessment of this line of code correct?

I'm confused about a few things, though.

When we gave printf the address \x10\x01\x48\x08, I'm confused as to why it read from that position. Is this printf quirk? You supply an address and it will read from that position?

How are the format specifiers moving the stack pointer? I thought they were just a way for the compiler to interpret the type of data.

Edit: This was my source: https://web.ecs.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

CodePudding user response:

I'm struggling with understanding:

printf ("\x10\x01\x48\x08 %x %x %x %x %s");

It's fairly straightforward: you're telling printf() to output a line that begins with four hexadecimal values (three of which are non-printing) and then format five values separated by spaces. But, you don't supply input for those values, so this is an invalid line of code.

I suspect what you're trying to do is:

printf("%x %x %x %x", 0x10, 0x01, 0x48, 0x08);

but this is just a guess.

CodePudding user response:

You basically did something you are not allowed to do. You provided format specifiers to the printf function, but didn't provide any variables. The values of the variables are normally pushed onto the stack, which is where printf will get them.

So if you didn't actually put anything on the stack (which printf cannot know), it will still read from the stack to be able to print the specifiers you provided, resulting in random data being printed.

The string you provided \x10\x01\x48\x08 is not an address, it's just four characters specified using hexadecimal numbers.

Some compilers will check the specifiers you have provided with the variables you are passing to see that they match. Not all though.

Page link:https//www.codepudding.com/database/263351.html

Prev:Why can void pointers be subtracted but not added?
Next:gcc optimisation flag changes runtime behaviour
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding