The format string is specified in the second parameter, format, and any
required data values are specified as needed following the format string. The security
problem with sprintf() is that it doesn??™t perform length checking on the output string to
determine whether it will fit into the destination character array. Since we have compiled
C, we expect parameter passing to take place using the C calling conventions, which specify
that parameters to a function call are pushed onto the stack in right-to-left order.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
300
Figure 12-8 A potentially vulnerable call to sprintf()
This means that the first parameter to sprintf(), str, is pushed onto the stack last. To track
down the parameters supplied to this sprintf() call, we need to work backwards from the
call itself. Each push statement that we encounter is placing an additional parameter onto
the stack. We can observe six push statements following the previous call to sprintf() at
location 08049A59. The values associated with each push (in reverse order) are
str: cmd
format: "find %s -name \"%s\" -exec grep -H -n %s \\{\\} \\; > %s"
string1: init_cwd
string2: filename
string3: keyword
string4: outf
Strings 1 through 4 represent the four string parameters expected by the format string.
Pages:
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542