非安全编程演示之格式化字符串
2006-04-02 20:26:48 来源:WEB开发网
/* Don't forget, *
* more is less, *
* here's a proof */
int main(int argv,char **argc) {
short int zero=0;
int *plen=(int*)malloc(sizeof(int));
char buf[256];
// The next line is added by Core Security to ease exploitation.
printf("%p\n", &zero);
strcpy(buf,argc[1]);
printf("%s%hn\n",buf,plen);
while(zero);
}
这个例子没有离奇的地方。下面是printf()的man page中所说:
n The number of characters written so far is stored into the
integer indicated by the int * (or variant) pointer argument. No
argument is converted.
h A following integer conversion corresponds to a short int or
unsigned short int argument, or a following n conversion corresponds
to a pointer to a short int argument.
(译者注:%n在格式化中的意思是将显示内容的长度输出到一个变量中去。%h的意思
是把后面对应的内容转换为short int型)
如果攻击者提供260 bytes长的参数,最后四个字节将覆盖指针*plen。当接下来执行
printf()时,将会在*plen(这个值由攻击者控制)所指向的内存中写入一些字符。然而,
由于format string中的h,攻击者将只能写两个字节(short write---由于h的转换)到这个内存
地址。如果提供的参数大于260字节,那么将会覆盖zero,这个例子的程序将进入死循环。
|_________________________ |
| shellcode addr |\
| shellcode addr | \
65276 bytes
| shellcode addr | /
| shellcode addr |/
| -------------------------|\
| zero address | 4 bytes
| ------------------------ |/
| AAAAAAAA |\
| | 256 bytes
| AAAAAAAA |/
| ------------------------ |
| |
中查找“非安全编程演示之格式化字符串”更多相关内容
中查找“非安全编程演示之格式化字符串”更多相关内容更多精彩
赞助商链接
