memcpy 溢出边界漏洞利用?(粉碎堆栈) [英] memcpy overflow boundary exploit? (smashing the stack)
问题描述
我试图弄清楚这是否会以某种方式溢出:
I'm trying to figure out if this could somehow be overflowed:
void print_address(char *p)
{
arp_ hw;
int i;
hw.length = (size) *(p + _OFFSET1); //189 + 4 = 193
memcpy(hw.addr, packet + _OFFSET2, hw.length);
return;
}
其中数据包是从 .txt 文件读取的输入?
where packet is an input read from a .txt file?
推荐答案
hwaddr.len 是一个无符号字符,范围为 0 到 255.因此攻击者可以向您发送一个声明长度为 255 的数据包. 由于 hwaddr.addr 被声明为 128 字节的缓冲区,因此攻击者可以传递 127 字节的有效载荷.够了吗?
hwaddr.len is an unsigned char which has range 0 to 255. So an attacker could send you a packet which declares length 255. Since hwaddr.addr is declared as a 128-byte buffer, the attacker can then deliver a payload of 127 bytes. Is that enough?
通常的 x86 调用约定是压入返回地址,压入参数,然后跳转,此时被调用者将按照声明的顺序分配每个变量.所以,从 hwaddr 开始算起,hwaddr.len 将在堆栈指针上方 128 个字节,packet 将在堆栈指针上方 129 个字节,并且返回地址将是 129 + sizeof(char *),即使在 64 位系统上也最多为 137 个字节.所以,是的,攻击者可以覆盖你的返回地址并额外传递 118 字节的 shell 代码.
The usual x86 calling convention is to push the return address, push arguments, and then jump, at which point the callee will allocate each variable in the order declared. So, counting from the start of hwaddr, hwaddr.len will be 128 bytes above the stack pointer, packet will be 129 bytes above, and the return address will be 129 + sizeof(char *), which is at most 137 bytes even on a 64-bit system. So, yes, the attacker can overwrite your return address and deliver 118 bytes of shell code in addition.
编辑我刚刚弄清楚了 OP 的困惑.当您将长度编码为 unsigned char 时,这 not 意味着您使用 ASCII 来表示长度.也就是说,你不读这个字节,在上面调用atoi(),得到一个从0到9的一位数.你只是像一个很窄的一样使用八位int 类型,其中每个位代表一个二进制数字.
Edit I just figured out the OP's confusion. When you encode the length as an unsigned char, this does not mean you use ASCII to represent the length. That is, you do not read this byte, call atoi() on it, and get a single-digit number ranging from 0 to 9. You just use the eight bits like a really narrow int type, where each bit represents a binary digit.
这篇关于memcpy 溢出边界漏洞利用?(粉碎堆栈)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
