![]() Here is how the attack works if user_input cantains the following format string:īasically, we use four %x to move the printf()'s pointer towards the address that we stored in the format string. %x causes the stack pointer to move towards the format string. Their ASCII values are 49 and 48, respectively. Without using \x, if we directly put " 10" in a string, the ASCII values of the cahracters ' 1' and ' 0' will be stored. In C language, \x10 in a string tells the compiler to put a hexadecimal value 0x10 in the current position. \x10\x01\x48\x08 are the four bytes of the target address. In the following example, the format string is stored in a buffer, which is located on the stack. If we can encode the target address in the format string, the target address will be in the stack. ![]() Observation: the format string is usually located on the stack. The function maintains an initial stack pointer, so it knows the location of the parameters in the stack. If we use printf(%s) without specifying a memory address, the target address will be obtained from the anyway by the printf() function. TASK3 HEARTBLEED LAB SEED COURSEHERO CODEHowever, we cannot change the code we can only supply the format string. We have to supply an address of the memory. What trouble can be caused by printf() when it starts to fetch data that is meant for it? Viweing Memory at Any Location In a miss-match case, it will fetch some data that do not belong to this function call. printf() will continue fetching data from the stack. Unless the stack is marked with a boundary, printf() does not know that it runs out of the arguments that are provided to it. If the format string needs 3 arguments, it will fetch 3 data items from the stack. The function printf() fetches the arguments from the stack.Therefore, there is no way for the compiler to find the miss-match in this case. Sometimes, the format is not a constant string, it is generated during the execution of the program.However, compilers usually do not do this kind of analysis. To find the miss-match, compiles needs to understand how printf() works and what the meaning of the formal string is.Therefore, by looking at the number of arguments, everything looks fine. ![]() ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |