Format String Stack View
Download
Report
Transcript Format String Stack View
Format String Stack View
main()
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
}
©2002, Ed Skoudis
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Fill
Direction
..
.
Value
to Change
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Fill
Direction
int x
Buffer
(100 char)
..
.
Value
to Change
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
Buffer
(100 char)
..
.
Value
to Change
Fill
Direction
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Fill
Direction
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
Buffer
(100 char)
..
.
Value
to Change
“c0faffbf%d%n”
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Fill
Direction
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
c0faffbf
Buffer
(100 char)
..
.
Value
to Change
“c0faffbf%d%n”
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Fill
Direction
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
c0faffbf
value of x
Buffer
(100 char)
..
.
Value
to Change
“c0faffbf%d%n”
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Fill
Direction
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
c0faffbf
value of x
Buffer
(100 char)
..
.
Value
to Change
“c0faffbf%d%n”
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Fill
Direction
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
c0faffbf
value of x
Buffer
(100 char)
..
.
5
“c0faffbf%d%n”
Format String Stack View
main()
Bottom of
Memory
{
char user_input[100];
char buffer[100];
int x;
…
/*get user_input*/
…
snprintf(buffer,
sizeof buffer,
user_input);
Top of
Memory
}
©2002, Ed Skoudis
..
.
Return Pointer
Fill
Direction
Pointer to Buffer
sizeof buffer
Pointer to user_input
int x
c0faffbf
value of x
Buffer
(100 char)
..
.
259
“c0faffbf%.255d%n”