%NNN$hhn 在格式字符串中如何工作?
我正在尝试一个经典的格式字符串漏洞。我想知道以下格式字符串到底是如何工作的:
“%NNN$hhn”,其中“N”是任意数字。
例如: printf("%144$hhn",....);
它是如何工作的以及如何使用它以任意值覆盖我想要的任何地址?
谢谢和问候,
赫里希凯什穆拉里
I am trying out a classic format string vulnerability. I want to know how exactly the following format string works:
"%NNN$hhn" where 'N' is any number.
E.g: printf("%144$hhn",....);
How does it work and how do I use this to overwrite any address I want with arbitrary value?
Thanks and Regards,
Hrishikesh Murali
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
它是一个 POSIX 扩展(在 C99 中未找到),它仅允许您从参数列表中选择哪个参数用于数据源。
对于常规
printf,每个%格式说明符都会从列表中获取当前参数,并将“指针”前进到下一个参数。这意味着如果您想以两种不同的方式打印单个值,您需要类似的东西:通过使用位置说明符,您可以这样做:
因为两个格式字符串将使用第一个参数作为其源。
维基百科页面上的另一个示例是:
它将为您提供输出:
它基本上允许您将格式说明符的顺序与提供的值断开连接,让您以任何您想要的方式在参数列表中跳动,使用上面的值和以任意顺序重复一遍。
现在是否可以使用它作为用户攻击向量,我很怀疑,因为它只是为程序员添加了一种更改数据源的方法,而不是数据发送到的位置。
它的安全性并不比常规样式的
printf低,而且除非您有能力以某种方式更改格式字符串,否则我看不到任何真正的漏洞。但是,如果你能做到这一点,那么常规的 printf 也很容易被滥用。It's a POSIX extension (not found in C99) which will simply allow you to select which argument from the argument list to use for the source of the data.
With regular
printf, each%format specifier grabs the current argument from the list and advances the "pointer" to the next one. That means if you want to print a single value in two different ways, you need something like:By using positional specifiers, you can do this as:
because both format strings will use the first argument as their source.
Another example on the wikipedia page is:
which will give you the output:
It basically allows you to disconnect the order of the format specifiers from the provided values, letting you bounce around the argument list in any way you want, using the values over and over again, in any arbitrary order.
Now whether you can use this as an user attack vector, I'm doubtful, since it only adds a means for the programmer to change the source of the data, not where the data is sent to.
It's no less secure than the regular style
printfand I can see no real vulnerabilities unless you have the power to change the format string somehow. But, if you could do that, the regularprintfwould also be wide open to abuse.