缓冲区溢出利用实验,意外结果
[英]buffer overflow exploit experiment, unexpected result
问题描述
I am doing an analysis of special cases of UB, for the purpose of learning about security leaks via exploits of buffer overflows. 
我正在分析UB的特殊情况,目的是通过利用缓冲区溢出来了解安全性泄漏。
I have trouble understanding the result of an experiment wiht intentionally proked UB. 我很难理解有意挑衅UB的实验结果。 Where I believe that the overflow of a buffer (which lies between another buffer and my detector variable) overfwrites both, the other buffer and the detector. 我认为缓冲区的溢出(位于另一个缓冲区和我的检测器变量之间)会覆盖另一个缓冲区和检测器。
In short: What could be the reason for the value 49 of the variable 'value' after 简而言之:变量'value'的值49后面可能是什么原因
strcpy(buffer_two, argv[1]);
In this code: 在此代码中:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
int value = 5;
char buffer_one[8];
char buffer_two[8];
strcpy(buffer_one, "one");
strcpy(buffer_two, "two");
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
}
Result: 结果:
./overflow_example AAAAAAAAAAAAAAAA1
[BEFORE] buffer_two is at 0xbff2db0c and contains 'two'
[BEFORE] buffer_one is at 0xbff2db14 and contains 'one'
[BEFORE] value is at 0xbff2db1c and is 5 (0x00000005)
[STRCPY copying 17 bytes into buffer_two
[AFTER] buffer_two is at 0xbff2db0c and contains 'AAAAAAAAAAAAAAAA1'
[AFTER] buffer_one is at 0xbff2db14 and contains 'AAAAAAAA1'
[AFTER] value is at 0xbff2db1c and is 49 (0x00000031)
the stack of memory go up. 内存堆栈上升。 It mean we override the value of buffer_one. 这意味着我们将覆盖buffer_one的值。 But i don't know why value of 'value' was effected 但我不知道为什么“价值”的价值受到影响
1 个解决方案
解决方案1
0 2017-10-08 09:05:11
In your exploit experiment you seem to have lost track of the order of buffers and variable. 在您的利用实验中,您似乎忘记了缓冲区和变量的顺序。
Your output (together with variable declarations in the code) clearly shows: 您的输出(以及代码中的变量声明)清楚地显示:
- buffer_two, size 8, address 0x...0c buffer_two,大小8,地址0x ... 0c
- buffer_one, size 8, address 0x...14 buffer_one,大小8,地址0x ... 14
- value , size 4, address 0x...1c 值,大小4,地址0x ... 1c
(Size of value is guess, but irrelevant, assuming it has the LSB on lowest byte address.) (值的大小是猜测值,但不相关,假设它的最低字节地址具有LSB。)
When buffer_two overflows by 9 bytes, it will fill buffer_one completely, first byte of value with '1' == 49 and second byte of value with 0. 当buffer_two溢出9个字节时,它将完全填充buffer_one,值的第一个字节为'1'== 49,值的第二个字节为0。
To repeat, all of that is, strictly speaking, UB and therefor wild guessing. 重复一遍,严格来说,所有这些都是UB,因此大胆猜测。 But that is the normal environment of exploits, which you are probably aware of. 但这就是漏洞利用的正常环境,您可能已经知道了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.