memcpy的溢出边界漏洞? (砸堆栈) [英] memcpy overflow boundary exploit? (smashing the stack)
问题描述
我想弄清楚,如果这可以在某种程度上被溢出:
I'm trying to figure out if this could somehow be overflowed:
void print_address(char *p)
{
arp_ hw;
int i;
hw.length = (size) *(p + _OFFSET1); //189 + 4 = 193
memcpy(hw.addr, packet + _OFFSET2, hw.length);
return;
}
,其中包从一个txt文件读取输入?
where packet is an input read from a .txt file?
推荐答案
hwaddr.len 是它有一个无符号的字符范围从0到255所以攻击者可以发送给您该声明长度为255由于 hwaddr.addr A包被声明为128字节的缓冲区,攻击者就可以提供127字节的有效载荷。是否足够呢?
hwaddr.len is an unsigned char which has range 0 to 255. So an attacker could send you a packet which declares length 255. Since hwaddr.addr is declared as a 128-byte buffer, the attacker can then deliver a payload of 127 bytes. Is that enough?
通常x86的调用约定是推动的返回地址,推参数,然后纵身跳下,此时被叫方将在声明的顺序分配每个变量。所以,从一开始计数 HWADDR , hwaddr.len 将堆栈指针上述128个字节,包将高于129字节,返回地址将 129 +的sizeof(字符*),这是最多137个字节即使是在64位的系统。所以,是的,攻击者可以覆盖你的返回地址,另外提供118个字节的外壳code的。
The usual x86 calling convention is to push the return address, push arguments, and then jump, at which point the callee will allocate each variable in the order declared. So, counting from the start of hwaddr, hwaddr.len will be 128 bytes above the stack pointer, packet will be 129 bytes above, and the return address will be 129 + sizeof(char *), which is at most 137 bytes even on a 64-bit system. So, yes, the attacker can overwrite your return address and deliver 118 bytes of shell code in addition.
修改我只是想通了OP的混乱。当您连接code长度为 unsigned char型,这样做的不可以意味着你使用ASCII重新present的长度。也就是说,你不看它这个字节,调用的atoi(),并获得单数字从0到9。你只需要使用八位像一个非常狭窄的 INT 键入,每一位再presents一个二进制数字。
Edit I just figured out the OP's confusion. When you encode the length as an unsigned char, this does not mean you use ASCII to represent the length. That is, you do not read this byte, call atoi() on it, and get a single-digit number ranging from 0 to 9. You just use the eight bits like a really narrow int type, where each bit represents a binary digit.
这篇关于memcpy的溢出边界漏洞? (砸堆栈)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
