Embed Size (px)
Citation preview
Format String Vulnerability
Topics
Format String Page 1
Format String
Format String Page 2
Function with Varying Length of Arguments
Format String Page 3
How Format String Works
Format String Page 4
prinftf() with missing arguments
Format String Page 5
A Vulnerable Program
Format Parameters
Format String Page 6
Crash the Program
Format String Page 7
Print out Secret Value Question: How to print out some secret valued stored on the stack?Question: How to print out a secret string stored at address 0xaabbccdd?
Format String Page 8
Modify MemoryQuestion: How to modify the data stored on the stack? Question: How to modify the data stored at address 0xaabbccdd?
Format String Page 9
Modify Memory with Specific ValueQuestion: How to modify the data stored at address 0xaabbccdd with value 0x23a402bc?
Format String Page 10
Code Injection
Question: How to use format string vulnerability to jump to injected shellcode?
Format String Page 11
![Exploiting Format String Vulnerabilities€¦ · who wrote the first format string exploit ever, portal, who developed and researched exploitability in his excellent article [3],](https://img.pdfslide.us/doc/110x75/5ebd180de8a6264a5d28c38e/exploiting-format-string-vulnerabilities-who-wrote-the-irst-format-string-exploit.jpg)
![Dates in Oracle - Laurentian · • To_Char converts an Oracle date into a character string To_Char(date[,’format’[,’NLSparameters’]])) To_Date(string[,’format’[,’NLSparameters]]))](https://img.pdfslide.us/doc/110x75/6052475016e3d71cc60720d6/dates-in-oracle-a-tochar-converts-an-oracle-date-into-a-character-string-tochardateaformataanlsparametersa.jpg)
