•The
printf command outputs to stdout (usually the screen)
•The output can be
manipulated by supplying formatted output of variables via tokens such as %s or %d:
–char *var[1000];
–var = “text”;
–printf(“The string contains
%s\n”,var);
•This
is legal per POSIX as well, albeit vulnerable:
–char *var[1000];
–var = argv[1];
–printf(var);
•What if our input
(argv[1]) contained format strings like %08x or %s or %n?
•The
%s goes to stdout, but %n writes data back to the variable
•If
there is no variable to output to stdout, the contents of the stack are sent to stdout, so %n will allow us to write to arbitrary
memory locations