溢出的缓冲区的数据不会被连续存放 [英] Overflowed buffer data does not get stored contiguously

问题描述

我有以下的code，模拟缓冲区溢出。

I have the following code to simulate buffer overflow.

编辑：我错过了在下面的code的重要一步。随着讨论的进行，该变量c是得到修改。

void function (int fd, int e)
{
        int i = 0;
        int n;
        char c;
        char s[44];
        .
        .
        c = getchar(fd);
        .
        //Some check on c
        s[i++] = c;
        .
        //Some more local variables and some operations on them.
}

我想通过订单发送多个输入> 4个字节看到局部变量和EBP和RET和参数是如何被修改溢出缓冲区。

I am trying to overflow the buffer by sending more input > 4 bytes in order to see how the local variables and EBP and RET and arguments get modified.

然而，当我在GDB调试看到栈帧，这个缓冲区溢出获取和溢出数据似乎并没有被分配连续的内存位置。

However when I debug in GDB to see the stack frame, this buffer gets overflowed and the overflowed data doesn't seem to be allocated contiguous memory locations.

缓冲区基址：0xbfff fdb3
的C地址：0xbfff FDDF
我的地址：0xbfff fde0

Buffer base address: 0xbfff fdb3 Address of C : 0xbfff fddf Address of i: 0xbfff fde0

正如你所看到的，我的输入字符串含有大量的NOP的（\\ X90），那么大量A的（\\ X41）的。在GDB堆栈帧你可以看到，如预期那么多余的数据也将被连续填补某些部分缓冲区的第一个字节4连续得到填补。
从（地址：0xbffffddc起直到0xbffffdfc）

As you can see, my input string contains plenty of NOP's (\x90) then plenty of A's (\x41). In the GDB stack frame you can see that the 1st 4 byte of the buffer gets filled contiguously as expected then some part of the excess data also gets filled contiguously. from (address: 0xbffffddc onwards till 0xbffffdfc)

但是，这是不完整的数据。再有就是在两者之间，并再次我输入的字符串可以从地址0xbffffe1c到0xbffffe2c可以看到一些其他的数据。

But this is not the complete data. Then there is some other data in between and again my input string can be seen from address 0xbffffe1c to 0xbffffe2c.

SO缓冲虽然被溢出，溢出数据没有被存储在连续的位置。我怎样才能让溢出数据获取存储在连续的位置？

SO the buffer although gets overflowed, the overflowed data is not stored in contiguous locations. How can I make the overflow data get stored at continuous locations ?

PS：在我的Ubuntu的机器，32位系统，

PS: On my Ubuntu machine, 32 bit system,

推荐答案

在声明的变量

    int i = 0;
    int n;
    char c;
    char s[4];

假设堆栈溢出向上过去 C ，你是在一个假设，这可能是不正确的，即依托，该变量是在栈上紧邻。这可能不是真的，因为有可能是变量之间堆栈后卫或栈金丝雀。

assuming the stack overflows "up" past c, you are relying upon an assumption which may not be true, i.e., that the variables are immediately adjacent on the stack. This may not be true because there may be a "stack guard" or "stack canary" between variables.

要了解更多关于这一点，寻找堆栈卫士和栈金丝雀：

To read more about this, look for "stack guard" and "stack canaries":

• COEN 152计算机取证：缓冲区溢出攻击


• 的StackGuard：简单堆叠粉碎保护GCC​​


• 四种不同的技巧来绕过StackShield概述和
  StackGuard的保护


• Stack溢出 - 加那利群岛击败，ASLR，DEP，NX


• 尾声，加那利群岛，和缓冲区溢出

• COEN 152 Computer Forensics: Buffer Overflow Attack
• StackGuard: Simple Stack Smash Protection for GCC
• Four different tricks to bypass StackShield and StackGuard protection
• Stack Overflows - Defeating Canaries, ASLR, DEP, NX
• Epilogues, Canaries, and Buffer Overflows

这篇关于溢出的缓冲区的数据不会被连续存放的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！