Consider the function bar and a portion
of the assembly language generated for it in the following listing:
void bar() {
char local_buf[1024];
//now fill local_buf with user input
...
printf(local_buf);
}
; assembly excerpt for function bar
bar:
push ebp
mov ebp, esp
sub esp, 1024 ; allocates local_buf
;do something to fill local_buf with user input
...
lea eax, [ebp-1024]
push eax
call printf
Clearly, this contains a format string vulnerability, since local_buf, which contains usersupplied
input data, will be used directly as the format string in a call to printf. The stack
layout for both bar and printf is shown in Figure 19-5.
Figure 19-5 shows that the attacker can expect to reference elements of local_buf as
parameters 1$ through 256$ when constructing her format string. By making the simple
change shown in the following listing, allocating an additional 1024 bytes in bar??™s stack
frame, the attacker??™s assumptions will fail to hold and her format string exploit will, in
all likelihood, fail.
; Modified assembly excerpt for function bar
bar:
push ebp
mov ebp, esp
sub esp, 2048 ; allocates local_buf and padding
;do something to fill local_buf with user input
...
lea eax, [ebp-1024]
push eax
call printf
The reason this simple change will cause the attack to fail can be seen upon examination
of the new stack layout shown in Figure 19-6.
Pages:
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868