I have simple C program: char user_input[100]; scanf(%s, user_input); printf(user_input); It is my understanding

Question

0

Asked: May 30, 20262026-05-30T18:49:44+00:00 2026-05-30T18:49:44+00:00

I have simple C program: char user_input[100]; scanf(%s, user_input); printf(user_input); It is my understanding

0

I have simple C program:

char user_input[100];
scanf("%s", user_input);
printf(user_input);

It is my understanding this represents security vulnerability; e.g. inputing a bunch of %x will print out the stack’s content.

But how could one print a chosen memory location?

I read that:

\x10\x01\x48\x08_%08x.%08x.%08x.%08x.%08x|%s|

Should be dumping the memory’s content at the location 0x08480110 from this paper. But instead, it is printing out the very next 4bytes to the format string on the stack. I’m trying to understand why.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T18:49:45+00:00

The format string itself will be on the stack (as you’ve declared user_input as a local variable). So if you walk the stack far enough (which is what the %08x force printf to do), then you will eventually arrive at the beginning of the format string. %s tells printf to read an address from the stack, and then print the string found at that location. So it reads the first 4/8 bytes of the format string, and uses those as the address.

Of course, for this to work, you need to know exactly how far to read through the stack in order to hit the format string. So you may need to adjust the number of %08x.

Also, a user entering \x10 at run-time is not the same as a string literal in your source code that contains \x10…

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have simple C program: char user_input[100]; scanf(%s, user_input); printf(user_input); It is my understanding

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply