## memory – Format string exploit length

i’m new to Software security and i’m studying it now at university.
I had some doubts about the Format String exploit, in particular how to count the length (in number of bytes) of a format string exploit.

Suppose that i have the following vulnerable code:

``````04 int guess(char *user) {
05     struct {
06          int n;
08          char usr(16);
09          char buf(16);
10      } s;
11
12      snprintf (s.usr, 16, "%s", user);
13
14      do {
15          scanf ("%s", s.buf);
16          if ( strncmp (s.buf, "DEBUG", 5) == 0) {
17              scanf ("%d", &s.n);
18              for ( int i = 0; i < s.n; i++) {
19                  printf ("%x", s.buf(i));
20              }
21          } else {
22              if ( strncmp (s.buf, "pass", 4) == 0 && s.usr(0) == '_') {
23                  return 1;
24          } else {
25              printf ("Sorry User: ");
26              printf (s.usr);
27              printf ("nThe secret is wrong! n");
28              abort ();
29          }
30          }
31      } while ( strncmp (s.buf, "DEBUG", 5) == 0);
32  }
33
34 int main(int argc, char** argv) {
35      guess(argv(1));
36 }
``````

And the code is compiled in a IA-32 architecture (32 bit) with cdecl calling convenction and there’s no attack mitigation implemented (no stack canary, no ALSR ecc…, i’m in a complete vulnerable machine)

At line 26 there’s a format string vulnerability since the placeholder is missing ( `printf (s.usr);` ).

I’d like to overwrite the EIP with the address of an environmental variable that contains my shellcode.

I’m supposing (this is a theoretical exercise, i’m aware that in practice there are many other implications) that the address of my envirormental variable is `0x44674234`, the address of the EIP is `0x42414515` and the displacement on the stack of my format string is 7.

So my format string exploit will be `x15x45x41x42x17x45x41x42%16940c%7\$hn%563c%8\$hn`, i’ll place it into `user` and then it will be copied into `s.usr` and executed by `printf (s.usr);`

Now what i noticed is that only 16 char are copied into `s.usr` from `user`.

Is my format string not exploitable? I counted 30 characters in my exploit, therefore the `strcpy` will copy only half of my exploit.

Is the number of char i counted correct? How should i count them?

## What is Pumping length for Union of 2 regular languages?

For E = {a,b}. let us consider the regular language
$$L= {x|x = a^{2+3k} or x=b^{10+12k}, k >= 0}$$

Which one of the following can be a pumping length (the constant guaranteed by the pumping lemma) for L?
(I am sharing some info below for my thoughts.)
I by mistake pressed submit plz don’t close question

## sublist – How can I add or remove the element in the sub-lists, whose length are different?

If there are lists with different lengths of sublists like below,

``````list1 = {{{1, 2, 3, 4}, {11, 12, 13, 14}, {22, 23, 24, 25}}, {{-1, -2, -3, -4}, {-11,-12,-13, -14}, {-22, -23, -24, -25}, {-41, -42, -43,-44}}, {{100, 200, 300, 400}, {-100, -200, -300, -400}}}
``````

How can I combine or delite each element from sublists?Question 1.
I have another data of

``````list2 = {a1, a2, a3},
``````

correspond to list1.So I want to combine list2 to each sub element of
list1;

``````newlist = {{{1, 2, 3, 4, a1}, {11, 12, 13, 14, a1}, {22, 23, 24, 25, a1}}, {{-1, -2, -3, -4, a2}, {-11, -12, -13, -14, a2}, {-22, -23, -24, -25, a2}, {-41, -42, -43, -44, a2}},{{100, 200, 300, 400, a3}, {-100, -200, -300, -400, a3}}}
``````

How can I get newlist?
I know I can append a1 to lsmall,

``````lsmall = {{1, 2, 3, 4}, {11, 12, 13, 14}, {22, 23, 24, 25}}
``````

by

``````Append(lsmall((#)), {a1}) & /@ Range(Length(lsmall))
``````

However newlist cannot get by

``````Append(lsmall((#1, #2)), {list2((#1))}) & /@ (Range(Length(lsmall)), (Range(Length(lsmall((#1)))))
``````

… I’ m in trouble.

Question2 After I get

``````newlist = {{{1, 2, 3, 4, a1}, {11, 12, 13, 14, a1}, {22, 23, 24, 25, a1}}, {{-1, -2, -3,-4, a2}, {-11, -12, -13, -14, a2}, {-22, -23, -24, -25, a2}, {-41, -42, -43, -44, a2}},{{100, 200, 300, 400, a3}, {-100, -200, -300, -400, a3}}}
``````

in Question 1,
I also want to extract 2 dimensional sub lists,
such as

``````ext1 = {{{1, a1}, {11, a1}, {22, a1}}, {{-1, a2}, {-11, a2}, {-22, a2}, {-41, a2}},{{100, a3}, {-100, a3}}}
``````

… (combination of 1 st and last element) or

``````ext2 ={{{2, 3}, {12, 13}, {23, 24}}, {{-2, -3}, {-12, -13}, {-23, -24}, {-42, -43}},{{200, 300}, {-200, -300}}}
``````

… (combination of 2 nd and 3 rd element)

I thought

``````For(i = 1, i <= Length(newlist), i++,
For(j = 1, j <= Length(newlist((i))), j++,
ext1 = Transpose({newlist((i))((j))((All, 1)),
newlist((i))((j))((All, 1))});)) Return(ext1)
``````

But it didn’t work at all.

## What is the time complexity of sorting n words length wise and then alphabetically? Should we consider the length of the strings in the complexity?

Let’s assume I have a list of some words found in the English dictionary:
(“hat”, “assume”, “prepare”, “cat”, “ball”, “brave”, “help” …. )

I want to sort these words (which are n in number) in a way, such that they are ordered based on their length, but if 2 words have the same length, they are ordered alphabetically.

What is the time complexity of this sorting operation?

Would it be fair to say that the complexity is just O(nlogn) and not take into consideration the length of the strings? If the largest length is `S`, can the complexity also involve a factor of S?

## What are the minimum and maximum length of a Mainnet Bitcoin address?

The wiki says that

A Bitcoin address is an identifier of 26-35 alphanumeric characters.

Is this information up-to-date? Even the Bech32 address `bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq` given as an example on the same page has 42 characters.

Some other Bitcoin mainnet address examples:

Before you say that this is duplicate, I know that What are the minimum and maximum lengths of a Mainnet Bitcoin address? asks the same question. However, I do not have enough reputation to add a comment there.

## Extract substrings with defined length from a string

I have a string like this one

``````str = "this and that but also thit and that";
``````

Now I want to extract, the first 3 letters before and after ” and ” so that the outcome is

``````{his and tha, hit and tha}
``````

I tried it with

``````StringCases[str,
x__ ~~ " and " ~~ y__ :> {StringTake[x, -3], StringTake[y, 3]}]
``````

but this extracts only the second substring `{{"hit", "tha"}}`. And using `StringCases[str, _ ~~ " and " ~~ _]` extracts only one letter `{"s and t", "t and t"}`. So is there a way to define a `Blank` with a particular length?

## regular languages – Minimum pumping length of (01)*

Michael Sipser offers the definition:

The pumping lemma says that every regular language has a pumping length p, such that every string in the language can be pumped if it has length p or more. If p is a pumping length for language A, so is any length p′ ≥ p. The minimum pumping length for A is the smallest p that is a pumping length for A.

Now, (01)* in set notation is {€, 01,0101,010101….}
Taking minimum pumping length = 1, according to the definition, we have the statement if a string in the language has length 1 or more, it can be pumped.

This statement is true for all elements of the above mentioned set, so can the minimum pumping length be 1?

p.s. the minimum pumping length for (01)* has been asked here before but it doesn’t answer my doubt that since the condition holds for minimum pumping length = 1, why is it not the answer?

## Construct a dfa and nfa for a set of strings on{0,1} : the left most symbol differs from the right most one and odd length string

Construct dfa and nfa for a set of string 0,1 such that left most and right most element are different and odd length string
Can you plss draw it

## javascript – ¿Como mostrar un contenido las veces que un dato (length) tenga registrado?

Estoy desarrollando una pagina web que tiene unas tarjetas con información de un producto.
La informacion la obtengo de Firebase realtime Database.
La función es la siguiente:

``````function GetInfoProduct(){

let PathTitleProduct1;

PathTitleProduct1 = "/Productos/";

firebase.database().ref(PathTitleProduct1).on('value', (snapshot) => {
let DatagettedTitleProduct1 = '';
if(snapshot.val()){
DatagettedTitleProduct1 = snapshot.val();
console.log(DatagettedTitleProduct1);
let TitleProduct1 = document.getElementById('title_product_1');
TitleProduct1.innerHTML = DatagettedTitleProduct1;
}
})

}``````

La funcion anterior me muestra en consola un resultado de tipo Objeto y me muestra la longitud que tiene este, me muestra que tiene una longitud de 3 valores y dentro de esos 3 valores tiene mas datos.
Lo que quiero saber es como puedo hacer que dependiendo a la longitud del objeto me muestre tantas tarjetas es decir si tengo 3 de logitud que se muestren 3 tarjetas aunque en el html solo tenga registrada una tarjeta y que en cada tarjeta la informacion sea dependiendo a la que se obtiene. el codigo html de una tarjeta es la siguiente.

``````                    <div class="product_card">

<p id="title_product_1"></p>

<p id="subtitle_product_1"></p>

<div class="variaciones">

<p id="variations_title">Variaciones</p>

<p id="v1"></p>

<p id="v1"></p>

<br>

</div>

<div class="SizeAndPrice">

<p id="SaPtitle">Tamaños y Precios</p>

<div class="size">

<p id="sizep">Individual</p>
<p id="sizep">Pareja</p>
<p id="sizep">Familiar</p>

</div>

<div class="price">

<p id="pricep"></p>
<p id="pricep"></p>
<p id="pricep"></p>

</div>

</div>

<p>Agregar al Carrito</p>

</div>

</div>

</div>
``````

## focal length – Calculation of the heigth of the camera

I am trying to find the height of a drone using the camera only. I can calculate the distance of the object top and bottom. Object is a square platform with width=0.2m. I used the equation provided by this article: https://www.pyimagesearch.com/2015/01/19/find-distance-camera-objectmarker-using-python-opencv/

Now, i am writing a program for a small drone, is there a way to calculate the height of it using the distances shown in the image below? The platform is always sitting straight as shown in the image.
FOV of the camera = 82.6 degrees