Displaying stack contents

[Ioannis Vranos]

Here is a similar code to one that I saw in a video on the web:


#include <cstdio>
#include <cstring>


void somefunc(const char *input)
{
using namespace std;

char buf[5];

// Displays the stack
printf("Stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

//Buffer overflow
strcpy(buf, input);

printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}

void somefunc2()
{
printf("somefunc2()\n");
}


int main(int argc, char *argv[])
{
using namespace std;

printf("Address of somefunc = %p\n", somefunc);

printf("Address of somefunc2 = %p\n", somefunc2);

somefunc(argv[1]);
}



So, can we be sure that we can display the contents of the stack in this way?

 

[Victor Bazarov]

Here is a similar code to one that I saw in a video on the web:


#include <cstdio>
#include <cstring>


void somefunc(const char *input)
{
using namespace std;

char buf[5];

// Displays the stack
printf("Stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

//Buffer overflow
strcpy(buf, input);

printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}

void somefunc2()
{
printf("somefunc2()\n");
}


int main(int argc, char *argv[])
{
using namespace std;

printf("Address of somefunc = %p\n", somefunc);

printf("Address of somefunc2 = %p\n", somefunc2);

somefunc(argv[1]);
}



So, can we be sure that we can display the contents of the stack in this
way?

Definitely not. Calling 'printf' with fewer arguments than fields
specified by the format string causes undefined behaviour. What happens
in that case *could* be that 'printf' shows you the stack contents or it
*could* be that your hard drive is reformatted or that all your friends
receive obscene e-mails originating from you.

V

 

[Matthias Kaeppler]

Here is a similar code to one that I saw in a video on the web:


#include <cstdio>
#include <cstring>


void somefunc(const char *input)
{
using namespace std;

char buf[5];

// Displays the stack
printf("Stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

//Buffer overflow
strcpy(buf, input);

printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}

void somefunc2()
{
printf("somefunc2()\n");
}


int main(int argc, char *argv[])
{
using namespace std;

printf("Address of somefunc = %p\n", somefunc);

printf("Address of somefunc2 = %p\n", somefunc2);

somefunc(argv[1]);
}



So, can we be sure that we can display the contents of the stack in this
way?

What's the deal with the %p?
`info coreutils printf` tells me it evaluates to AM or PM, depending on
your locale settings. It's a date/time specific thing

 

[Ioannis Vranos]

What's the deal with the %p?
`info coreutils printf` tells me it evaluates to AM or PM, depending on
your locale settings. It's a date/time specific thing

?

 

[Pete Becker]

What's the deal with the %p?
`info coreutils printf` tells me it evaluates to AM or PM, depending on
your locale settings. It's a date/time specific thing

That's what it means in calls to strftime. In calls to printf and its
relatives it displays the value of a pointer.

 

[Ioannis Vranos]

Definitely not. Calling 'printf' with fewer arguments than fields
specified by the format string causes undefined behaviour. What happens
in that case *could* be that 'printf' shows you the stack contents or it
*could* be that your hard drive is reformatted or that all your friends
receive obscene e-mails originating from you.

OK, so ISO C++ speaking it is not guaranteed this to work. However in practice it looks
like it is working. Have you seen this before?

I got the code from a code-security oriented video.

 

[Victor Bazarov]

OK, so ISO C++ speaking it is not guaranteed this to work. However in
practice it looks like it is working. Have you seen this before?

No, I hadn't. Nor would I trust hacker instructional videos when
learning about language features.

 

[Ioannis Vranos]

No, I hadn't. Nor would I trust hacker instructional videos when
learning about language features.

Actually it was about code security and protecting from hackers and not the opposite. This
shows how buffer overruns look like, and just to provide a useful summary on this, the
bottom line was that apart from using strncpy() etc (which can also be circumvented with
various tricks), in all these types of attacked programs the data are not checked at the
point of input, and we should consider *any* input as unsafe and validate it at the point
of its introduction.

 

[Victor Bazarov]

No, I hadn't. Nor would I trust hacker instructional videos when
learning about language features.

Actually it was about code security and protecting from hackers and not
the opposite. [...]

Just to let you know that the best security algorithms are invented by
hackers, and knowing how a system can be broken is necessary to be able
to protect it. Instructional videos for hackers or for security personnel
are interchangeable. If you want to be able to break into a system you
might want to learn what is taught to those who are trying to protect it
and vice versa.

And my recommendation for you: if you want your code to be safe, you
should use all means possible to avoid undefined behaviour. Using printf
in the manner you asked about may not be that susceptible to any hacking,
but considering it OK because "it looks like it is working" is a very
dangerous practice.

V

 

[Ioannis Vranos]

And my recommendation for you: if you want your code to be safe, you
should use all means possible to avoid undefined behaviour. Using printf
in the manner you asked about may not be that susceptible to any hacking,
but considering it OK because "it looks like it is working" is a very
dangerous practice.

Of course. I found it interesting to display the stack in this way though.