Security-Oriented C Tutorial 0x13 - Pieces of a Puzzle

Dec 25, 2015 03:11 PM
635866088989048926.jpg

Before we begin learning about another vulnerability, we are going to explore printf in a bit more detail. This will be quick little tutorial.

The Missing Link

One conversion specifier I have not told you about is %n. %n is a special little one because it does not do the same thing as all the others. If you take a look at man 3 printf, the description for %n is:

The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.

Let's see an example.

Example Code

635866091539163879.jpg

The %n conversion specifier writes to the address of a variable, like scanf. That's weird, why would you want this? Well, one reason could be for visual formatting, if the programmer required, say, indenting... I don't know, if you find out, you can tell us all!

Compiling and Running

635866094367757527.jpg

As we can see, the %n conversion specifier does not print anything out but does a write instead.

The Width Modifier

The width modifier allows us to specify the minimum number of bytes to write and pads with spaces.

Example Code

635866104779561297.jpg

By adding a number between the % and letter in the conversion specifier, just like adding a maximum length input for scanf, we can perform this operation.

Compiling and Running

635866112122290676.jpg

Pretty neat but what's the point of learning this? We will see in the next tutorial.

Direct Parameter Access

The Direct Parameter Access allows us to manipulate which argument corresponds to which conversion specifier. To do this, we need to type the nth parameter followed by the dollar sign between the % and conversion specifier letter(s) like so: %n$d.

Example Code

635866123006703402.jpg

Aaand results are...

Compiling and Running

635866125162131414.jpg

Cool! Again, the point of this? We'll also find out in the next tutorial!

Conclusion

Make sure you guys thoroughly understand these concepts so that when I introduce the vulnerability, we can apply it. Stay tuned!

dtm.

Comments

No Comments Exist

Be the first, drop a comment!