[英]How to exploit Lottery Game?
After exploiting this code and finding out if you enter 16 different digits Output using exploit I am trying to understand why this is the case.在利用这段代码并发现你是否输入了 16 个不同的数字Output 之后,我试图理解为什么会这样。 Is it because of the memory location?是因为memory的位置吗?
#include <stdio.h>
#include <stdlib.h>
#include<time.h>
int main(int argc, char *argv[]) {
int entry[6];
int results[6];
int i = 0, tmp = 0;
/* Generate power balls */
srand(time(NULL));
for (int i = 0; i < 6; i++) {
results[i] = rand() % 99;
}
printf("RULE: You are to enter a sequence of six two-digit numbers between 10 and 99. \n");
printf(" - The numbers should be separated by a single space. \n");
printf(" - The seventh number should be -1, indicating the completion of the sequence \n");
printf("Enter the numbers: \n");
while(tmp != -1) {
scanf("%d", &tmp);
if (tmp == -1) break;
entry[i] = tmp;
i++;
}
/* Check results */
int match = 0;
for (int i = 0; i < 6; i++) {
printf("The lottery number is: %d\n", results[i]);
printf("Your guess is: %d\n", entry[i]);
if (results[i] == entry[i]) {
match++;
}
}
if (match != 6){
printf("Unfortunately, there has been a mismatch! Better luck next time!\n");
}
else {
printf("Congratulations, all the numbers match! You have won a gazillion dollars \n");
}
return 0;
}
I tried finding the memory location of each array: Entry / Results我尝试找到每个数组的 memory 位置: Entry / Results
But I don't understand how they are related or even if they are part of the exploit.但我不明白它们是如何相关的,即使它们是漏洞利用的一部分。
On my machine, where sizeof (int)
is 4, these arrays align 32 bytes apart在我的机器上, sizeof (int)
为 4,这些 arrays 对齐 32 个字节
(gdb) print &entry
$1 = (int (*)[6]) 0x7fffffffe7b0
(gdb) print &results
$2 = (int (*)[6]) 0x7fffffffe7d0
with results
being placed after entry
, and have 8 bytes of padding between them. results
放在entry
之后,并且它们之间有 8 个字节的填充。
|entry |padding|results |stack
| 0 | 1 | 2 | 3 | 4 | 5 | P | P | 0 | 1 | 2 | 3 | 4 | 5 | ? | ? | ? |
i = 0 1 ... 6 7 8 9 ... 12 13 14 15 16
tmp = 10 12 ... 16 17 18 10 12 ... 16 17 18 -1
Until tmp
is -1
, i
will continue to increment, writing the value of tmp
into entry[i]
.直到tmp
为-1
, i
将继续递增,将tmp
的值写入entry[i]
。 This eventually overflows entry
, and starts writing to the padding bytes, and then the results
array.这最终会溢出entry
,并开始写入填充字节,然后写入results
数组。
On my machine, i
, tmp
, and match
are placed before the arrays, and what follows the arrays are likely canaries , that trip the stack protection when their values are changed.在我的机器上, i
、 tmp
和match
位于arrays之前,而 arrays 之后的可能是 canary ,当它们的值发生变化时会触发堆栈保护。
Entering only 14 values, instead of 16, and then -1
, causes the results
array to be overwritten exactly, without tripping any stack protection.仅输入 14 个值而不是 16 个,然后输入-1
会导致results
数组被完全覆盖,而不会触发任何堆栈保护。
This does all fall under the purview of Undefined Behaviour , though.不过,这确实都属于Undefined Behavior的范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.