Security-Oriented C Tutorial 0x13 - Pieces Of A Puzzle - Null Byte

Before we begin learning about another vulnerability, we are going to explore printf in a bit more detail. This will be quick little tutorial.

The Missing Link

One conversion specifier I have not told you about is %n. %n is a special little one because it does not do the same thing as all the others. If you take a look at man 3 printf, the description for %n is:

The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.

Let's see an example.

Example Code

The %n conversion specifier writes to the address of a variable, like scanf. That's weird, why would you want this? Well, one reason could be for visual formatting, if the programmer required, say, indenting... I don't know, if you find out, you can tell us all!

Compiling and Running

As we can see, the %n conversion specifier does not print anything out but does a write instead.

The Width Modifier

The width modifier allows us to specify the minimum number of bytes to write and pads with spaces.

Example Code

By adding a number between the % and letter in the conversion specifier, just like adding a maximum length input for scanf, we can perform this operation.

Compiling and Running

Pretty neat but what's the point of learning this? We will see in the next tutorial.

Direct Parameter Access

The Direct Parameter Access allows us to manipulate which argument corresponds to which conversion specifier. To do this, we need to type the nth parameter followed by the dollar sign between the % and conversion specifier letter(s) like so: %n$d.

Example Code

Aaand results are...

Compiling and Running

Cool! Again, the point of this? We'll also find out in the next tutorial!

Conclusion

Make sure you guys thoroughly understand these concepts so that when I introduce the vulnerability, we can apply it. Stay tuned!

dtm.