Security-Oriented C Tutorial 0x13 - Pieces of a Puzzle
Before we begin learning about another vulnerability, we are going to explore printf in a bit more detail. This will be quick little tutorial.
One conversion specifier I have not told you about is %n. %n is a special little one because it does not do the same thing as all the others. If you take a look at man 3 printf, the description for %n is:
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
Let's see an example.
The %n conversion specifier writes to the address of a variable, like scanf. That's weird, why would you want this? Well, one reason could be for visual formatting, if the programmer required, say, indenting... I don't know, if you find out, you can tell us all!
As we can see, the %n conversion specifier does not print anything out but does a write instead.
The width modifier allows us to specify the minimum number of bytes to write and pads with spaces.
By adding a number between the % and letter in the conversion specifier, just like adding a maximum length input for scanf, we can perform this operation.
Pretty neat but what's the point of learning this? We will see in the next tutorial.
The Direct Parameter Access allows us to manipulate which argument corresponds to which conversion specifier. To do this, we need to type the nth parameter followed by the dollar sign between the % and conversion specifier letter(s) like so: %n$d.
Aaand results are...
Cool! Again, the point of this? We'll also find out in the next tutorial!
Make sure you guys thoroughly understand these concepts so that when I introduce the vulnerability, we can apply it. Stay tuned!