我正在对UB的特殊情况进行分析,目的是通过利用缓冲区溢出来了解安全漏洞。
我无法理解有意使用UB的实验结果。我相信缓冲区溢出(位于另一个缓冲区和我的探测器变量之间)会覆盖其他缓冲区和探测器。
简而言之:变量'值49的值49的原因可能是什么?之后
strcpy(buffer_two, argv[1]);
在此代码中:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
int value = 5;
char buffer_one[8];
char buffer_two[8];
strcpy(buffer_one, "one");
strcpy(buffer_two, "two");
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
}
结果:
./overflow_example AAAAAAAAAAAAAAAA1
[BEFORE] buffer_two is at 0xbff2db0c and contains 'two'
[BEFORE] buffer_one is at 0xbff2db14 and contains 'one'
[BEFORE] value is at 0xbff2db1c and is 5 (0x00000005)
[STRCPY copying 17 bytes into buffer_two
[AFTER] buffer_two is at 0xbff2db0c and contains 'AAAAAAAAAAAAAAAA1'
[AFTER] buffer_one is at 0xbff2db14 and contains 'AAAAAAAA1'
[AFTER] value is at 0xbff2db1c and is 49 (0x00000031)
内存堆栈上升。这意味着我们覆盖buffer_one的值。但我不知道为什么价值的价值&#39;实现了
答案 0 :(得分:0)
在您的漏洞利用实验中,您似乎已经忘记了缓冲区和变量的顺序 您的输出(以及代码中的变量声明)清楚地显示:
(值的大小是猜测,但不相关,假设它具有最低字节地址的LSB。)
当buffer_two溢出9个字节时,它将完全填充buffer_one,第一个字节的值为&#39; 1&#39; == 49和值为0的第二个字节。
重复一遍,严格来说,所有这一切都是UB,因此疯狂猜测。但这是正常的漏洞利用环境,您可能已经意识到了这一点。