我目前正在学习剥削艺术的剥削。开发部分的第一个代码基本上教会了我一个非常基本的溢出。这是从书的代码:缓冲区溢出不溢出
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
int value = 5;
char buffer_one[8], buffer_two[8];
strcpy(buffer_one, "one"); /* Put "one" into buffer_one. */
strcpy(buffer_two, "two"); /* Put "two" into buffer_two. */
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value);
printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
}
与argv的执行后[1] = 1234567890我
[BEFORE] buffer_two is at 0x7ffc97c28ac0 and contains 'two'
[BEFORE] buffer_one is at 0x7ffc97c28ad0 and contains 'one'
[BEFORE] value is at 0x7ffc97c28adc and is 5 (0x00000005)
[STRCPY] copying 9 bytes into buffer_two
[AFTER] buffer_two is at 0x7ffc97c28ac0 and contains '1234567890'
[AFTER] buffer_one is at 0x7ffc97c28ad0 and contains 'one'
[AFTER] value is at 0x7ffc97c28adc and is 5 (0x00000005)
[后] buffer_one应该包含 “90”,而不是 “一”。我注意到我的偏移量是16字节而不是8字节(0x7ffc97c28ac0和0x7ffc97c28ad0),这就是为什么如果不溢出到buffer_one。任何想法我应该看看,这是一个非常严重的问题?
这本书是否指导你编译x64?它是否指定了特定的编译器,版本和标志? – Dai
您使用的编译器可能会将数据从作者使用的编译器中分离出来。你也可能会注意到你拷贝了9个字节的程序 - 你认为它应该拷贝了10个字节。 –
只是基本的'gcc -o overflow_example overflow_example.c',我在'-fno-stack-protector'中加入了,因为没有它,它检测到堆栈粉碎。 – ledao