2

If we have a code like printf(buffer) where the user can control the buffer, I understand that the user could insert something like AAAA%08x%08x%08x... and would as the output get the content of a part of the stack.

I understand that this is because the user can trick printf in beleiving that it has to process more arguments than are actually provided and therefore tricks it into reading off data from the stack where the arguments should have been.

But since arguments to printf are pushed onto the stack before the function is called with the format string pushed last, how is it possible that printf also reads the "AAAA" part of the user input from the stack? Wouldn't it access the "nonexisting" arguments as EBP+12,EBP+16,EBP+20... and therefore read data only further up the stack (into higher memory addresses)?

Anders
  • 64,406
  • 24
  • 178
  • 215
pineappleman
  • 2,279
  • 11
  • 21
  • So you're asking how printf can find the string because there is a different parameter count than the `%` signs say? Two thought problems here: a) *Before* printf can count the `%` at all, it has to find the string. Wrong string content can't prevent finding this string. b) Without attacks: printf supports variable parameter counts, and it always can find the string. Last parameter etc. doesn't matter. – deviantfan May 09 '16 at 07:17

0 Answers0