16

I came across this code showing format string exploitation while reading this article.

#include <stdio.h>

int main(void)
{
char secret[]="hack.se is lame";
char buffer[512];
char target[512];

printf("secret = %pn",&secret);

fgets(buffer,512,stdin);
snprintf(target,512,buffer);
printf("%s",target);
}

Executing it with following input

[root@knark]$ ./a.out
secret = 0xbffffc68
AAAA%x %x %x %x %x %x %x //Input given
AAAA4013fe20 0 0 0 41414141 33313034 30326566
- [root@knark]$

What I understand till now is the sequence of %x's will keep on printing the values at addresses above current %esp (I'm assuming that stack is growing downwards towards lower address).

What I'm unable to understand is the input given is stored in buffer array which can't be less than 512 bytes away from current %esp. So, how can the output contain 41414141 (the hex representation of AAAA) just after the 4 %x, i.e, just above the 4 addresses of current %esp. I tried hard to stare at assembly code too but I think I couldn't follow the manipulation of strings on stack.

Improve this question
6
  • I don't understand your command invocation. Is ~/research/paper the executable? I would understand ./myprog < inputdata or cat inputdata | ./myprog but I don't follow what you're doing. Commented Aug 3, 2011 at 17:15
  • OK, I see whats going on. a.out is executed which prints secret = 0xbffffc68 and then waits for user input. For me this just echoed the input back to the screen on the last line and then exited. ~/research/paper is just a shell prompt. Commented Aug 3, 2011 at 17:18
  • @ kerrek SB: i am sorry for that. i have deleted it in order to make it more clear. Commented Aug 3, 2011 at 17:28
  • What I don't get and would need to test is how fgets reads more than 'AAAA' bytes from stdin. Should it reach EOF instead of actually reading out 512 bytes? I mean when it reads stdin, should it get a null terminated string then EOF? Commented Aug 3, 2011 at 17:48
  • @Mr. Shickadance: fgets reads atmost next n-1 characters into the buffer stopping if a newline is encountered. Commented Aug 3, 2011 at 18:32

2 Answers 2

Reset to default
4

On entry to snprintf, the stack has the following:

0xbfd257d0:     0xxxxxxxxx      0xxxxxxxxx      0xxxxxxxxx      0x080484d5
0xbfd257e0:     0xbfd25800      0x00000200      0xbfd25a00      0x00000000
0xbfd257f0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfd25800:     0x00000000      0x00000040      0xb7f22f2c      0x00000000
0xbfd25810:     0x00000000      0x00000000      0x00000000      0x00000000

0xbfd25800 -> target (initially 0x00000000 0x00000040 ...)
...        -> garbage
0xbfd257e8 -> pointer to buffer
0xbfd257e4 -> 512
0xbfd257e0 -> pointer to target
0xbfd257df -> return address

target gets overwritten with the result of snprintf before snprintf gets to use its words as arguments: It first writes "AAAA" (0x41414141) at 0xbfd25800, then "%x" reads the value at 0xbfd257ec and writes it at 0xbfd25804, ..., then "%x" reads the value at 0xbfd25800 (0x41414141) and writes it at 0xbfd25814, ...

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Definately target gets overwritten as a result of snprintf but i didn't get the part followed after that i.e before snprintf gets to use its words as arguments. I thinks target is getting overwritten as result of snprintf. And my question is how target is over written with the value 1414141? In other words how sequence of %x %x...in buffer is replaced by 1414141?
@Terminal, where 0xbfd25800 now contains zero is overwritten by the "AAAA" part by snprintf before the %x sequence is evaluated, because snprintf starts at the left part of the string and copies everything until it hits a %x. That way it doesn't have to allocate a temporary buffer to format the entire string and copy it over all at once.
@karl bielefeldt: Thanks i got it!! Then i suppose that explanation given on that link is not correct. It will be great if anyone of you can throw some light on the explanation given just after the code in link in original post. i believe i had misunderstood something there particularly how they are finding the offset for buffer.
@karl bielefeldt: Finally i got it what that article wanted to convey. Thanks for the help.
1

First of all, let's have a look at the stack after calling snprintf():

Reading symbols from /home/blackbear/a.out...done.
(gdb) run
Starting program: /home/blackbear/a.out 
secret = 0xbffff40c
ABCDEF%x %x %x %x %x %x %x

Breakpoint 1, main () at prova.c:13
13      printf("%s",target);
(gdb) x/20x $esp
0xbfffeff0: 0xbffff00c  0x00000200  0xbffff20c  0x00155d7c
0xbffff000: 0x00155d7c  0x000000f0  0x000000f0  0x44434241
0xbffff010: 0x35314645  0x63376435  0x35353120  0x20633764
0xbffff020: 0x66203066  0x34342030  0x32343334  0x33203134
0xbffff030: 0x34313335  0x20353436  0x37333336  0x35333436
(gdb)

We can actually see, at 0xbffff00c, the string already formatted, so sprintf() wrote right there. We can also see, at 0xbfffeff0, the last argument for snprintf(): target's address, which is actually 0xbffff00c. So I can deduce that strings are saved from the end to the beginning of their allocated space on the stack, as we can also see adding a strcpy():

blackbear@blackbear-laptop:~$ cat prova.c
#include <stdio.h>
#include <string.h>

int main(void)
{
    char secret[]="hack.se is lame";
    char buffer[512];
    char target[512];

    printf("secret = %p\n", &secret);

    strcpy(target, "ABCDEF");   
    fgets(buffer,512,stdin);
    snprintf(target,512,buffer);
    printf("%s",target);
}
blackbear@blackbear-laptop:~$ gcc prova.c -g
prova.c: In function ‘main’:
prova.c:14: warning: format not a string literal and no format arguments
prova.c:14: warning: format not a string literal and no format arguments
blackbear@blackbear-laptop:~$ gdb ./a.out -q
Reading symbols from /home/blackbear/a.out...done.
(gdb) break 13
Breakpoint 1 at 0x8048580: file prova.c, line 13.
(gdb) run
Starting program: /home/blackbear/a.out 
secret = 0xbffff40c

Breakpoint 1, main () at prova.c:13
13      fgets(buffer,512,stdin);
(gdb) x/10x $esp
0xbfffeff0: 0xbffff00c  0x080486bd  0x00000007  0x00155d7c
0xbffff000: 0x00155d7c  0x000000f0  0x000000f0  0x44434241
0xbffff010: 0x00004645  0x00000004
(gdb)

That's it! In conclusion, we've found the string there because strings are stored on the stack in a reversed way, and the beginning (or the end?) of target is near esp.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.