c Let??™s use IDA Pro to take a look at the sprintf() call that
was flagged by all of the auditing tools used in this chapter. IDA??™s disassembly listing leading
up to the potentially vulnerable call at location 08049A8A is shown in Figure 12-8. In
the example, variable names have been assigned for clarity. We have this luxury because
we have seen the source code. If we had never seen the source code, we would be dealing
with more generic names assigned during IDA??™s initial analysis.
It is perhaps stating the obvious at this point, but important nonetheless, to note that
we are looking at compiled C code. One reason we know this, aside from having peeked
at some of the source already, is that the program is linked against the C standard library.
An understanding of the C calling conventions helps us track down the parameters that
are being passed to sprintf() here. First, the prototype for sprintf() looks like this:
int sprintf(char *str, const char *format, ...);
The sprintf() function generates an output string based on a supplied format string
and optional data values to be embedded in the output string according to field specifications
within the format string. The destination character array is specified by the first
parameter, str.
Pages:
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541