溢出的缓冲区数据不会连续存储 [英] Overflowed buffer data does not get stored contiguously

问题描述

我有下面的代码来模拟缓冲区溢出.

I have the following code to simulate buffer overflow.

我错过了下面代码中的一个重要步骤.随着讨论的进行，变量 c 正在被修改.

void function (int fd, int e)
{
        int i = 0;
        int n;
        char c;
        char s[44];
        .
        .
        c = getchar(fd);
        .
        //Some check on c
        s[i++] = c;
        .
        //Some more local variables and some operations on them.
}

我试图通过发送更多 > 4 字节的输入来溢出缓冲区，以查看局部变量和 EBP 和 RET 以及参数是如何被修改的.

I am trying to overflow the buffer by sending more input > 4 bytes in order to see how the local variables and EBP and RET and arguments get modified.

但是，当我在 GDB 中调试以查看堆栈帧时，此缓冲区会溢出，并且溢出的数据似乎没有分配到连续的内存位置.

However when I debug in GDB to see the stack frame, this buffer gets overflowed and the overflowed data doesn't seem to be allocated contiguous memory locations.

缓冲区基地址:0xbfff fdb3C地址:0xbfffddfi的地址:0xbfff fde0

Buffer base address: 0xbfff fdb3 Address of C : 0xbfff fddf Address of i: 0xbfff fde0

如您所见，我的输入字符串包含大量 NOP (x90)，然后是大量 A (x41).在 GDB 堆栈帧中，您可以看到缓冲区的第一个 4 字节按预期连续填充，然后部分多余数据也连续填充.从 (地址:0xbffffddc 开始直到 0xbffffdfc)

As you can see, my input string contains plenty of NOP's (x90) then plenty of A's (x41). In the GDB stack frame you can see that the 1st 4 byte of the buffer gets filled contiguously as expected then some part of the excess data also gets filled contiguously. from (address: 0xbffffddc onwards till 0xbffffdfc)

但这不是完整的数据.然后中间还有一些其他数据，我的输入字符串可以从 address 0xbffffe1c 到 0xbffffe2c 再次看到.

But this is not the complete data. Then there is some other data in between and again my input string can be seen from address 0xbffffe1c to 0xbffffe2c.

所以缓冲区虽然溢出，但溢出的数据并未存储在连续的位置.如何使溢出数据存储在连续的位置?

SO the buffer although gets overflowed, the overflowed data is not stored in contiguous locations. How can I make the overflow data get stored at continuous locations ?

PS:在我的 Ubuntu 机器上，32 位系统，

PS: On my Ubuntu machine, 32 bit system,

推荐答案

当你声明你的变量时

    int i = 0;
    int n;
    char c;
    char s[4];

假设堆栈向上"溢出 c，您所依赖的假设可能不正确，即变量在堆栈上是紧邻的.这可能不是真的，因为变量之间可能存在堆栈保护"或堆栈金丝雀".

assuming the stack overflows "up" past c, you are relying upon an assumption which may not be true, i.e., that the variables are immediately adjacent on the stack. This may not be true because there may be a "stack guard" or "stack canary" between variables.

要了解更多信息，请查找stack guard"和stack canaries":

To read more about this, look for "stack guard" and "stack canaries":

• COEN 152 计算机取证:缓冲区溢出攻击
• StackGuard:GCC 的简单堆栈粉碎保护
• 绕过 StackShield 和StackGuard 保护
• 堆栈溢出 - 击败 Canaries、ASLR、DEP、NX
• 尾声、金丝雀和缓冲区溢出

这篇关于溢出的缓冲区数据不会连续存储的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！