C: Read more bytes than format string with format string insertion

Question

C: Read more bytes than format string with format string insertion

In the article Using string formatting vulnerabilities, the authors give the following code example, where inputis the unfiltered user input.

char outbuf[512];
char buffer[512];
sprintf (buffer, "ERR Wrong command: %400s", input);
sprintf (outbuf, buffer);

They then explain that by using a special format string as input, they can circumvent the limitation %400s:

"%497d\x3c\xd3\xff\xbf<nops><shellcode>"

This creates a string with a length of 479 characters. However, I cannot find an explanation of how the %479dcircumvention is bypassed %400s. How does this input allow sprintf to write a string longer than 400 characters?

+4

c printf string-formatting exploit

user4099632 Dec 03 '14 at 16:57

source share

2 answers

, input %, buffer % ( sprintf()), sprintf(), 'buffer, % , outbuf. :

snprintf(outbuf, sizeof(outbuf), "%s", buffer);

strcpy(outbuf, buffer);

snprintf() , .

0

Jonathan Leffler 03 . '14 17:08

Dmitri · Accepted Answer · 2014-12-03T17:13:00+0000

sprintf() outbuf, , sprintf(), "% 497d" 497- char ( , ). 512 char outbuf. , (2nd sprintf()).

C: Read more bytes than format string with format string insertion

More articles: