问题描述

我有简单的C程序：

char user_input[100];
scanf("%s", user_input);
printf(user_input);

这是我的理解这个重新presents安全漏洞;例如输入查询一堆％x的将打印出栈的内容。

It is my understanding this represents security vulnerability; e.g. inputing a bunch of %x will print out the stack's content.

但如何可以打印所选的内存位置？

But how could one print a chosen memory location?

我读到：

\x10\x01\x48\x08_%08x.%08x.%08x.%08x.%08x|%s|

应该在的位置0x08480110从本文。但是，相反，它是印刷出来的第二天4字节到堆栈中的格式字符串。我想知道为什么。

Should be dumping the memory's content at the location 0x08480110 from this paper. But instead, it is printing out the very next 4bytes to the format string on the stack. I'm trying to understand why.

推荐答案

格式字符串本身将在堆栈上（因为你已经声明 USER_INPUT 作为一个局部变量）。所以，如果你走在堆栈远远不够（这是什么％08X 力的printf 做的），那么你会最终到达格式字符串的开头。 ％S 告诉的printf 阅读从堆栈地址，然后打印在该位置找到的字符串。因此，它读取第一个字节4/8格式字符串，并使用这些作为地址。

The format string itself will be on the stack (as you've declared user_input as a local variable). So if you walk the stack far enough (which is what the %08x force printf to do), then you will eventually arrive at the beginning of the format string. %s tells printf to read an address from the stack, and then print the string found at that location. So it reads the first 4/8 bytes of the format string, and uses those as the address.

当然，对于这个工作，你需要知道究竟有多远通过堆栈以打格式字符串读取。所以，你可能需要调整数量％08X 。

Of course, for this to work, you need to know exactly how far to read through the stack in order to hit the format string. So you may need to adjust the number of %08x.

另外，输入用户 \\ X10 在运行时是不一样的你的源$ C ​​$ C文字字符串包含 \\ X10 ...

Also, a user entering \x10 at run-time is not the same as a string literal in your source code that contains \x10...