Home/ Questions/Q 6208623
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T05:50:22+00:00

I came across this code showing format string exploitation while reading this article. #include

  • 0

I came across this code showing format string exploitation while reading this article.

#include <stdio.h>

int main(void)
{
char secret[]="hack.se is lame";
char buffer[512];
char target[512];

printf("secret = %pn",&secret);

fgets(buffer,512,stdin);
snprintf(target,512,buffer);
printf("%s",target);
}

Executing it with following input

[root@knark]$ ./a.out
secret = 0xbffffc68
AAAA%x %x %x %x %x %x %x //Input given
AAAA4013fe20 0 0 0 41414141 33313034 30326566
- [root@knark]$

What I understand till now is the sequence of %x‘s will keep on printing the values at addresses above current %esp (I’m assuming that stack is growing downwards towards lower address).

What I’m unable to understand is the input given is stored in buffer array which can’t be less than 512 bytes away from current %esp. So, how can the output contain 41414141 (the hex representation of AAAA) just after the 4 %x, i.e, just above the 4 addresses of current %esp. I tried hard to stare at assembly code too but I think I couldn’t follow the manipulation of strings on stack.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    On entry to snprintf, the stack has the following:

    0xbfd257d0:     0xxxxxxxxx      0xxxxxxxxx      0xxxxxxxxx      0x080484d5
0xbfd257e0:     0xbfd25800      0x00000200      0xbfd25a00      0x00000000
0xbfd257f0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfd25800:     0x00000000      0x00000040      0xb7f22f2c      0x00000000
0xbfd25810:     0x00000000      0x00000000      0x00000000      0x00000000

0xbfd25800 -> target (initially 0x00000000 0x00000040 ...)
...        -> garbage
0xbfd257e8 -> pointer to buffer
0xbfd257e4 -> 512
0xbfd257e0 -> pointer to target
0xbfd257df -> return address

    target gets overwritten with the result of snprintf before snprintf gets to use its words as arguments: It first writes “AAAA” (0x41414141) at 0xbfd25800, then “%x” reads the value at 0xbfd257ec and writes it at 0xbfd25804, …, then “%x” reads the value at 0xbfd25800 (0x41414141) and writes it at 0xbfd25814, …

    • 0