StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
7860635
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2011-10-22T15:41:31.277
FavoriteCount
0
LastActivityDate
2011-10-22T16:00:35.030
LastEditDate
2011-10-22T16:00:35.030
LastEditorUserId
412482
OwnerUserId
412482
ParentId
7860095
PostTypeId
2
Score
6
ViewCount
0
LastEditorDisplayName
text
Body
<blockquote> When you call a function like printf, the formatstring and the arguments are pushed onto the stack. If you ommit the parameters but specify them in the format string with "%x" or "%s" or "%n" you cann access (read or write) the formatstring. On one system i testet that, the format string was the 4th argument. On another it was beyond the 200th. </blockquote> No, perhaps you have misunderstood. When you call printf with one argument - the format string, a pointer to the format string is pushed onto the stack. This is a <code>char *</code> This pointer can point to anywhere in memory - printf just does at it is told and reads that memory location as a format string. In the usual one argument case, you pass a string literal to <code>printf ("hello world!");</code> The compiler puts the text <code>hello world</code> somewhere in memory, and generates a pointer to it to pass to printf. Then it does whatever the calling conventions say it should do for a function call - for example on x86 it pushes the pointer to the stack. Printf then reads its first argument from the stack and is happy! In the usual n argument case, the same thing happens with the string literal and the pointer. For the function call, the compiler passes each of the values. Again using x86 (Because pushing is easier to describe than, say, ARM which has a complicated argument passing scheme) These values are pushed to the stack from right to left. So if you have a call to <code>printf ("%d, %s, %d", x, name, y);</code> y is pushed to the stack, then name, x, and finally the format string. Now, inside printf we read our first argument (get it from the stack). It is a <code>char *</code> pointing to <code>"%d, %s, %d"</code>. We can read this, and then - knowing how the compiler passes arguments we can read the three things which were pushed to the stack - Again we are happy! The format string vulnerability works by misaligning the belief printf has and the belief which the compiler has. We can show it by invoking the undefined behaviour caused by passing the wrong number of arguments to printf. in the call <code>printf ("%s");</code> The compiler does not push the argument which would correspond to the <code>char *</code> printf expects to use to fulfil the <code>%s</code> directive. But - because printf doesn't know the compiler didn't do it it looks for the argument on the stack anyway. It pulls an undefined value off the stack and attempts to read the string it points to. In your case you allow arbitrary format strings to be passed to printf. These certainly have a mismatch between the number of arguments expected and the number of arguments passed, and so printf reads the stack - which is filled with junk. If you are lucky - you can manipulate this junk to point to something you control - and can use this to read information you were not expecting. If you can trick a %n argument to point to somewhere you control, you can write to that memory location with the number of characters printed. So - with this description in mind I can't find a way to parse your question which makes sense. Perhaps you can be more clear and I can update my answer?
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWhy is the location of the format string on stack so different on different linux systems?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USJames Greenhalgh
UserOwnerUserId
1. USJames Greenhalgh
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POWhy is the location of the format string on stack so different on different linux systems?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.