Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
10 Cards in this Set
- Front
- Back
|
What is a format string?
|
A format string is simple a string of characters with special format string identifiers.
|
|
|
What is a print specifier or format specifier?
|
This is what's placed in the string passed to one of the printf functions that tells printf what format to print the matching variable.
Examples - %s, %d, %n, %x |
|
|
What is a format string bug / How can they be vulnerable?
|
When the programmer forgets to include the print specifier in the format string of printf.
Correct: printf("%s", string_to_print); Vulnerable: printf(string_to_print); |
|
|
What is the functionality of the printf function if the print specifier is left off?
|
If the print specifier is left off, printf family of functions will continue to search / seek by the format string identifiers in the buffer (or input)
|
|
|
What are the three main things can you accomplish with a format string exploit? (More can be accomplished)
|
1. You can read data off the stack.
1.1. Passing multiple %x will show you values on the stack in hex format. Possibly containing passwords, etc. %s can also be used. 2. You can write to locations in memory using the %n specifier. (Overwrite saved RTN, GOT / PLT, DTORS, etc) 3. You can call functions that regular program flow wouldn't have called. |
|
|
How do you write to memory locations with %n?
|
%n will write a value into the memory location you specify. The value it writes is the amount of characters, including spaces before the %n in the format string.
This allows you to write at least up to 255. You can write 1 byte at a time to fill a 4 byte memory adress. |
|
|
How can you easily add characters before %n?
|
One way is to use the width specifier in printf:
%x%x%10x%n - The 10 easily adds larger values to what n will write. |
|
|
What is DPA and how does it help format string vulns?
|
DPA = Direct Parameter Access
DPA allows you to access a parameter directly without listing all preceding parameters before it. |
|
|
As an example, what would the following call to printf print?
printf("4th: %4$d\n", 7, 20, 44, 65, 28, 2); |
This is using DPA to access the 4th parameter, which is 65.
|
|
|
What is the %hn modifer?
|
This allows us to write 16 bits at a time. Instead of 4 separate 1 byte writes, we do the full 4 byte(16 bit) write at once with %h
|
