Format String Theory

Question 1

What are the format strings?

Answer 1

They make possible for the programmer to include variables in a string format as he likes

Question 2

What are the key elements in a format string?

Answer 2

The placeholders which specify how data is formatted into a string

Question 3

What are some examples of format print functions?

Answer 3

They are:

• Printf
• fprintf
• sprintf
• snprintf
• vfprintf
• vsprintf

Question 4

What are the parameters passed to the format print functions?

Answer 4

snprintf(buf, buf_size, “string + placeholders”, placeholder_values)

Question 5

How does a format print function and the placeholders parameters relate

Answer 5

When the format string is parsed, the function expects The parameters values to replace the placeholders

According to the convention, these are expected to be pushed on to the stack by the caller

The function, therefore, expects the placeholder values to be on the stack

Question 6

What happens when we do not place the placeholder values at the end of the format print functions

Answer 6

The function reads the values in the stack, even if they were not expected to be used in such way

Question 7

We can also insert in the stack some contents through the format string functions. How can we find out in which position in the stack they were placed?

Answer 7

We can scan the stack with the %N$x syntax, which goes to the Nth parameter, along with a simple shell script

Question 8

How can we use the scan on the stack as an information leakage vulnerability

Answer 8

By searching interesting in the memory

Question 9

How can we write on the stack?

Answer 9

By using the %n placeholder, which writes in the address pointed by the argument, the number of chars printed so far

Question 10

How can we use the format strings to write on the stack?

Answer 10

First, we put the address of the memory cell that we want to modify on the stack, then we use the %x to go find it on the stack (%N$x). Finally, we use the %n to write on the target address placed in the stack

Question 11

How can we write a valid address on the stack

Answer 11

We use python to emit non-printable chars

Question 12

How do we write in there arbitrary number that we can control?

Answer 12

We use the %c Parameter

Question 13

What is the detailed steps to write an arbitrary number into a target address?

Answer 13

First, you put the target address on the stack as part of the format string, then you find it on the stack using the %N$x along with a shell script and finally you use the %c and %n to write a specific number to the target address

Question 14

What is the problem in writing 32 bit addresses?

Answer 14

The size of the number

Question 15

How can we write a 32 bit address

Answer 15

We split each DWORD (32 bits) into two WORDs (16 bit), and write then two rounds

Question 16

What are the steps to write a 32 bit address to the target address

Answer 16

First, we put the two target addresses of the memory cells to modify as part of the foreman string, then we use the %N$x to find the position of the placed target address one (the position of the target address two will be the position of target address one+1). Finally we use %c and %n two right the lower and higher portions of the 32 bit address

Question 17

What is the rational behind the size of the numbers to be written as part of the 32 bit address And the format string exploit

Answer 17

Since we are using the %c to control the number of chars printed and because of that we cannot reduced the number of chars printed we need to first place portion of the 32 bit address with the lower value then the higher one.

These difference in the order Of inserted values is done, mainly by exchanging addresses order in the stack