[英]“/usr/bin/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;?
The code you are talking of looks like this: 您正在谈论的代码如下所示:
ncom = "/usr/bin/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
while(c=nargv[0][i]) {
ncom[9+i++] = c;
}
ncom[9+i] = '\0';
All those x's act as a buffer, they are overridden by the following loop. 所有这些x都充当缓冲区,它们被以下循环覆盖。 Therefore the code effectively adds "/usr/bin/" to the command in nargv[0]
. 因此代码有效地将“/ usr / bin /”添加到nargv[0]
的命令。
With a little more context the code is doing this: 有了更多的上下文,代码就是这样做的:
execv(nargv[0], nargv, np);
execv(ncom+4, nargv, np);
execv(ncom, nargv, np);
If the given command in nargv[0]
is "foo"
it will first try to run "foo"
then "/bin/foo"
and finally "/usr/bin/foo"
. 如果nargv[0]
的给定命令是"foo"
,它将首先尝试运行"foo"
然后"/bin/foo"
,最后运行"/usr/bin/foo"
。
Be aware that above is a good example how to not do such things: 请注意,上面是一个很好的例子,如何不会做这样的事情:
If the string in nargv[0]
happens to be longer than the number of x's, the code will happily continue copying data. 如果nargv[0]
的字符串恰好比x的字符串长,代码将很乐意继续复制数据。 This will override other parts of the stack. 这将覆盖堆栈的其他部分。 The result is a good example of a buffer overflow. 结果是缓冲区溢出的一个很好的例子。 (You allocate a buffer of some size and write more data than allocated.) (您分配一些大小的缓冲区并写入比分配的数据更多的数据。)
This example will demonstrate the problem: 此示例将演示此问题:
#include <stdio.h>
int main(){
char s[]="abcde";
int i;
for(i=0;i<100;i++){
printf("position %2d contains value %3d\n",i,s[i]);
s[i]=0;
}
puts(s);
return 0;
}
If you run it it will (most probably) output this: 如果你运行它将(很可能)输出:
position 0 contains value 97
position 1 contains value 98
position 2 contains value 99
position 3 contains value 100
position 4 contains value 101
position 5 contains value 0
position 6 contains value 0
position 7 contains value 0
position 8 contains value 0
position 9 contains value 0
position 10 contains value 0
position 11 contains value 0
position 12 contains value 12
position 1 contains value 0
position 2 contains value 0
position 3 contains value 0
position 4 contains value 0
position 5 contains value 0
position 6 contains value 0
position 7 contains value 0
[...]
It will fill the string (containing the ASCII values 97 to 101) with zeroes and continue writing the memory where it will find the position of the variable i
it will also set it to zero. 它将填补字符串(包含ASCII值97到101)用零,并继续写入存储器在那里它将找到变量的位置i
它也将其设置为零。 Now i
is zero and therefore the loop starts again, overriding the the already overridden string again and again. 现在i
为零,因此循环再次启动,一次又一次地覆盖已经被覆盖的字符串。
Not only local variables can be overriden, also the return address of a function might get overriden resulting in either a "segmentation fault" or execution of arbitrary code, which is often used by malware. 不仅可以覆盖局部变量,还可以覆盖函数的返回地址,从而导致“分段错误”或任意代码的执行,这通常由恶意软件使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.