In Table 8-1, we will introduce a few more format tokens that may be used in a format
string (the original ones are included for your convenience).
The Correct Way
Recall the correct way to use the printf() function. For example, the following code:
//fmt1.c
main() {
printf("This is a %s.\n", "test");
}
Gray Hat Hacking: The Ethical Hacker??™s Handbook
170
\n Carriage return printf(???test\n???);
%d Decimal value printf(???test %d???, 123);
%s String value printf(???test %s???, ???123???);
%x Hex value printf(???test %x???, 0x123);
%hn Print the length of the current
string in bytes to var (short int
value, overwrites 16 bits)
printf(???test %hn???, var);
Results: the value 04 is stored in var
(that is, two bytes)
$ Direct parameter access printf(???test %2$s???, ???12???,???123???);
Results: test 123 (second parameter
is used directly)
Table 8-1 Commonly used format symbols
Chapter 8: Advanced Linux Exploits
171
PART III
produces the following output:
$gcc -o fmt1 fmt1.c
$./fmt1
This is a test.
The Incorrect Way
But what happens if we forgot to add a value for the %s to replace? It is not pretty, but
here goes:
// fmt2.c
main() {
printf("This is a %s.\n");
}
$ gcc -o fmt2 fmt2.
Pages:
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345