format string : Question
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: format string : Question

  1. #1
    Junior Member
    Join Date
    Jun 2005
    Posts
    8

    format string : Question

    I found a format string tutorial in a book. Have understood the basic concept, but have a question about one of the examples. The aim is to write the address 0xddccbbaa into a static int variable declared in a program fmt_vuln. The book says that first you write 0xaa like this:

    ./fmt_vuln `printf "\x70\x97\x04\x08"`%x.%x.%153x%n

    which works. Then, it says that in order to write 0xbb we need to increment the byte count upto 187 which is 0xbb in decimal. This argument could be anything; it just has to be four bytes long and must be located after the first arbitrary memory address of 0x08049770. The word "JUNK" is four bytes and is fine. Similarly for writing 0xcc and 0xdd

    So according to the book, the entire write procedure would be:

    ./fmt_vuln `printf "\x70\x97\x04\x08JUNK\x71\x97\x04\x08JUNK\x72\x97\x04\x08JUNK\x73\x97\x04\x08"`%x.%x.%129x%n%17x%n%17x%n%17x%n

    My question is: Why do we need the four bytes of JUNK separating the addresses even thought we can control the number of bytes by using the size of %x as in %129x??

    Thanks

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Wild guess: Required memory space padding. This isn't an uncommon practice. If you ping certain OSes and look at a packet capture, you'll see they pad the packets with "junk" like 1234567890....



    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,523
    Now here's a first :
    I haven't a clue as to how to respond ............... yet the answer from TH13 made perfect sense

    is this a sign of advancement into geekhood ?
    or is it just advancing old age

    [edit]
    the greens are from me for the confusion ........
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  4. #4
    Junior Member
    Join Date
    Jun 2005
    Posts
    8
    I thought about the padding, but the problem with that is that each of the writes (0xaa, 0xbb,...) is two hex digits, which is equal to one byte. Now each memory address can hold one byte. So where is the padding (that too, 4 bytes) required??

    This is confusing, Help!!

  5. #5
    () \/V |\| 3 |) |3\/ |\|3G47|\/3
    Join Date
    Sep 2002
    Posts
    744
    This is a very interesting analysis of format string bugs. I've been looking over it most of the afternoon and decided to share. Even if you can't use it it's got a lot of good information.

    Analysis of Format String Bugs (PDF)

    Go Finland!
    Deviant Gallery

  6. #6
    Junior Member
    Join Date
    May 2005
    Posts
    28
    I am pretty sure that TheHorse is correct in his assumption that these are used for padding. You are attempting to write an address into some variable and it is necessary to make sure the bytes are properly aligned in memory. This is similar to how the return address in buffer overflows have to be properly aligned to fit into the correct memory location. If things are not properly aligned (padded), then the wrong address would get written.
    An ancient chinese man once told me: \"The hotter the tea, the bigger the wang.\"

    My tea is extra hot.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Modern processors actually take longer to read just one byte instead of 4. IIRC it's because of the way the addressbus accesses memory. So it could be some compiler optimization. You store just one byte but the compiler modifies it to 4 (the actual byte and 3 bytes padded). That could improve the speed of the program (size-speed trade-off).

    One way to find out though is to run your program (including the 'exploit') using a debugger. That will give you chance to look at what the stack actually looks like when it gets 'hit'.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    SirDice is right, most processors read blocks of 4 bytes or more (normaly whatever the word size is although it varies slightly), so optimization is probably a good guess. Is it possible to contact the author for comment?
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag D landet her kvilte i heilag fred og alle hadde kjrleik elske med.

  9. #9
    Junior Member
    Join Date
    May 2005
    Posts
    28
    But the compiler doesn't see the format string. The format string is entered as a parameter to an already compiled (exploitable) program (usually taking advantage of printf(string) instead of printf(%s, string)). So the compiler itself does not ever see the format string because it is entered as a parameter. I am almost 100% sure that this is to ensure that the data being entered (the address to be stored) lines up correctly in memory (dealing with word size).
    An ancient chinese man once told me: \"The hotter the tea, the bigger the wang.\"

    My tea is extra hot.

  10. #10
    Junior Member
    Join Date
    Jun 2005
    Posts
    8
    Padding seems most obvious but HOW does it need padding? As I wrote earlier each of the writes (0xaa, 0xbb,...) is two hex digits, which is equal to one byte. Now each memory address can hold one byte. So where is the padding (that too, 4 bytes) required??

    The processor does read 4 bytes (1 word) but that would mean that it reads all the four consecutive memory addresses. There is no need for the junk, which in any case would add to one byte in the address to make 5 bytes not 4.

    Hopefully we can sort this out :/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides