How does %NNN$hhn work in a format string?

I am trying out a classic format string vulnerability. I want to know how exactly the following format string works:

"%NNN$hhn" where 'N' is any number.

E.g: printf("%144$hhn",....);

How does it work and how do I use this to overwrite any address I want with arbitrary value?

Than开发者_如何学编程ks and Regards,

Hrishikesh Murali

It's a POSIX extension (not found in C99) which will simply allow you to select which argument from the argument list to use for the source of the data.

With regular printf, each % format specifier grabs the current argument from the list and advances the "pointer" to the next one. That means if you want to print a single value in two different ways, you need something like:

printf ("%c %d\n", chVal, chVal);

By using positional specifiers, you can do this as:

printf ("%1$c %1$d\n", chVal);

because both format strings will use the first argument as their source.

Another example on the wikipedia page is:

printf ("%2$d %2$#x; %1$d %1$#x",16,17);

which will give you the output:

17 0x11; 16 0x10

It basically allows you to disconnect the order of the format specifiers from the provided values, letting you bounce around the argument list in any way you want, using the values over and over again, in any arbitrary order.

Now whether you can use this as an user attack vector, I'm doubtful, since it only adds a means for the programmer to change the source of the data, not where the data is sent to.

It's no less secure than the regular style printf and I can see no real vulnerabilities unless you have the power to change the format string somehow. But, if you could do that, the regular printf would also be wide open to abuse.