Format String Vulnerabilities
Posted on 2008-10-11
Hello to everyone!
After reading a paper called "Exploiting Format String Vulnerabilities" (page 14) for a class project I have, it seems to me that the following piece of code should work:
char h = "test";
char t = "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n";
snprintf(buf, sizeof t, t);
The address of h is 0xbffffa67. The paper clearly states that the provided argument to snprintf should allow me to store an integer into h. When the snprintf tries to execute though it produces a segmentation fault. Can someone please point me to the right direction? What am I doing wrong here?
Also on a related note. I am no expert but I have a fairly good understanding of how the stack works. Still though, can somone explain to me what should happen when snprint is called? I feel confused as to how exactly '%08x' works, where and how things are stored on the stack on this call, and how exactly we manage to move the internal stack pointer of printf to our stored address.