RE: [Format String vulnerabilities]

From: Chris Eagle (cseagle_at_redshift.com)
Date: 05/29/04

  • Next message: Michal Zalewski: "Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)"
    To: <vuln-dev@securityfocus.com>
    Date: Sat, 29 May 2004 04:00:21 -0700
    
    

    Gerardo Richarte wrote:
    > > Surely however the format string *itself* isn't passed on the stack
    > > but a pointer to the format string. therefore the %x modifer would
    > > return a hex representation of the address pointing to the string, *not*
    > > a hex representation of the string contents?
    >
    > Everything you said is correct, except for 2 things:
    >
    > . the fact that the format string itself is not in the
    > stack. This is actually why there is a buf[1024] and a
    > strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.
    >
    ...
    > the code is:
    >
    > > fmt1.c ----------------------------------------------------
    > >
    > > int main(int argc, char *argv[]) {
    > > char buf[1024];
    > >
    > > strncpy(buf, argv[1], sizeof(buf));
    > > printf(argv[1]);
    > > printf("\n");
    > > }
    > > ------------------------------------------------------------

    argv[1] is already on the stack, there is no need for the strncpy call to
    copy the format string to the stack. In fact, in this case, the call places
    a second copy of argv[1] on the stack.

    Chris


  • Next message: Michal Zalewski: "Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)"

    Relevant Pages

    • Re: Does MSIL Qualify?
      ... The term stack is not entirely to confuse with the x86 CPU stack. ... this is enough to determine it isnt asm. ... The way a string is stored could have a very significant impact on speed, ... If wolfgangs code on avarage is 16 times faster than other code then this means that his code can run on far slower software, and he will allways have years ahead of HLL developers because of this. ...
      (alt.lang.asm)
    • Problems with Search
      ... % then the matching string ... /MLinfo exch def % set to original ... string, still on the stack. ... prematch strcat ...
      (comp.lang.postscript)
    • Re: Problems with Search
      ... The ifelse removes the boolean and the two procedures from the stack ... % then the matching string ... /MLinfo exch def % set to original ... prematch strcat ...
      (comp.lang.postscript)
    • Re: Help with loading program from SD card
      ... after transfer from SD card to stack or to a user variable] ... and delete the string; it's useless. ... to extract a valid binary object, ... Either series' FIXOB program will therefore attempt to extract an object ...
      (comp.sys.hp48)
    • Re: HOWTO Implement LoadLibrary, GetProcAdress, and FreeLibrary.
      ... public static string Invoke(IntPtr IntPtr_Function, string csParam1, ... AssemblyName AssemblyName_This = new AssemblyName; ... // We must now push each paramter onto the stack. ... // We must now push the function pointer onto the stack. ...
      (microsoft.public.dotnet.languages.csharp)