Before we begin learning about another vulnerability, we are going to explore printf in a bit more detail. This will be quick little tutorial.
The Missing Link
One conversion specifier I have not told you about is %n. %n is a special little one because it does not do the same thing as all the others. If you take a look at man 3 printf, the description for %n is:
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
Let's see an example.
Example Code
The %n conversion specifier writes to the address of a variable, like scanf. That's weird, why would you want this? Well, one reason could be for visual formatting, if the programmer required, say, indenting... I don't know, if you find out, you can tell us all!
Compiling and Running
As we can see, the %n conversion specifier does not print anything out but does a write instead.
The Width Modifier
The width modifier allows us to specify the minimum number of bytes to write and pads with spaces.
Example Code
By adding a number between the % and letter in the conversion specifier, just like adding a maximum length input for scanf, we can perform this operation.
Compiling and Running
Pretty neat but what's the point of learning this? We will see in the next tutorial.
Direct Parameter Access
The Direct Parameter Access allows us to manipulate which argument corresponds to which conversion specifier. To do this, we need to type the nth parameter followed by the dollar sign between the % and conversion specifier letter(s) like so: %n$d.
Example Code
Aaand results are...
Compiling and Running
Cool! Again, the point of this? We'll also find out in the next tutorial!
Conclusion
Make sure you guys thoroughly understand these concepts so that when I introduce the vulnerability, we can apply it. Stay tuned!
dtm.
Comments
Be the first, drop a comment!