471 easy target. Let us look at the simplest version of a |
471 easy target. Let us look at the simplest version of a |
472 vulnerable program. |
472 vulnerable program. |
473 |
473 |
474 \lstinputlisting[language=C]{../progs/C4.c} |
474 \lstinputlisting[language=C]{../progs/C4.c} |
475 |
475 |
|
476 \noindent The intention is to print out the first argument |
|
477 given on the command line. The ``secret string'' is never to |
|
478 be printed. The problem is that the C function \pcode{printf} |
|
479 normally expects a format string---a schema that directs how a |
|
480 string should be printed. This would be for example a proper |
|
481 invocation of this function: |
|
482 |
|
483 \begin{lstlisting}[numbers=none,language=C] |
|
484 long n = 123456789; |
|
485 printf("This is a long %lu!", n); |
|
486 \end{lstlisting} |
|
487 |
|
488 \noindent In the program above, instead, the format string |
|
489 has been forgotten and only \pcode{argv[1]} is printed. |
|
490 Now if we give on the command line a string such as |
|
491 |
|
492 \begin{center} |
|
493 \code{"foo \%s"} |
|
494 \end{center} |
|
495 |
|
496 \noindent then \pcode{printf} expects a string to |
|
497 follow. But there is no string that follows, and how |
|
498 the argument resolution works in C will in fact print out |
|
499 the secret string! This can be handily exploited by |
|
500 using the format string \code{"\%x"}, which reads out the |
|
501 stack. So \code{"\%x....\%x"} will give you as much |
|
502 information from the stack as you need and over the |
|
503 Internet. |
|
504 |
|
505 While the program above contains clearly a programming |
|
506 mistake (forgotten format string), things are not as simple |
|
507 when the application reads data from the user and prompts |
|
508 responses containing the user input. |
|
509 |
476 \subsubsection*{Caveats} |
510 \subsubsection*{Caveats} |
477 |
511 |
478 \bigskip\bigskip |
512 \bigskip\bigskip |
479 \subsubsection*{A Crash-Course for GDB} |
513 \subsubsection*{A Crash-Course for GDB} |
480 |
514 |