我试图对以下代码执行一点缓冲区溢出攻击。当我在gdb中打开程序时,堆栈上出现了错误的顺序,我不知道为什么。
(gdb) list
warning: Source file is more recent than executable.
8 int auth_flag=0;
9 char pwd_buffer[16];
10 strcpy(pwd_buffer,pPwd);
11 if(strcmp(pwd_buffer,"pass")==0)auth_flag=1;
12 return auth_flag;
13 }
14
15
16 int main(int argc, char* argv[])
17 {
(gdb)
18 if(argc<2){
19 printf("\nUsage <%s password>\n\n",argv[0]);
20 exit(0);
21 }
22 if(authenticate(argv[1])){
23 printf("-----------------------------------\n");
24 printf(" ACCESS GRANTED\n");
25 printf("-----------------------------------\n");
26 }
27 else {
(gdb)
28 printf("-----------------------------------\n");
29 printf(" ACCESS DENIED\n");
30 printf("-----------------------------------\n");
31 }
32 return 0;
33 }
(gdb) break 10
Haltepunkt 1 at 0x804855d: file main.c, line 10.
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/phydor/C/Overflow/a.out AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, authenticate (pPwd=0xbffff34d 'A' <repeats 40 times>) at main.c:10
10 strcpy(pwd_buffer,pPwd);
(gdb) x/s pwd_buffer
0xbffff07c: 'A' <repeats 40 times>
(gdb) x/d &auth_flag
0xbffff078: 0
(gdb)
我不明白为什么 pwd_buffer 在执行 strcpy()命令之前填充了参数,以及为什么缓冲区位于比更高的地址auth_flag 因为堆栈在较低地址的方向上增长。