#include
#include
/**
See: http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
Problem is, like SQL Injection (later), input is interpreted and executed.
printf(user_input);
Parameter Meaning Passed as
——————————————————————-
%d decimal (int)
%u unsigned decimal (unsigned int) value
%x hexadecimal (unsigned int) value
%s string ((const) (unsigned) char *) reference
%p interpret as a pointer value
%n number of bytes written so far, (* int)reference
this is written to the supplied integer
reference
**/
int main(int argc, char ** argv){
char t[100];
char *s=(char *)malloc(100*sizeof(char));
strcpy(s, “This is a string on the heap”);
printf(“s holds address 0x%08x\n”,s);
printf(“length of %s is %d\n”, s,strlen(s));
// So printf has variable number of arguments
// How does it know how many?
// It interprets the format string and trusts the user!!
while(1){
printf(“Give me some input: “);
gets(t);
printf(t); // really should be printf(“%s\n”, t);
printf(“\n”);
printf(“s=%s\n”,s); // Challenge Change the “This is a…” to “Ahis is a…”
}
// Try the above with things like
// %x %x %x %x (this is the stack!!)
// %08x %08x %08x %08x (this is the stack!!)
// How about %s %s
// Could be worse, could put values on the stack
// \x10\x01\x48\x08 %x %x %x %x
// \x10\x01\x48\x08 %p
// \x10\x01\x48\x08 %s
// Note: reference does not make it clear how to get such
// literal values on the stack!! You need to figure this out.
// How about write a program to combine such literal values
// with format meta commands.
// Worse! Can cause printf to write into memory!!
/**
* int i;
* printf(“123456%n”, &i); // Write 6 (since 6 characters written so far)
* // to &i.
**/
}