c - 尝试在 ubuntu 上使用 c 学习漏洞利用

Question

我正在尝试学习剥削我从缓冲区溢出开始这是我的代码:

#include<stdio.h>
#include<string.h>

int main (int argc,char *argv[])
{
    int value=5;
    char buffer_one[8],buffer_two[8];


    strcpy(buffer_one,"one");
    strcpy(buffer_two,"two");

    printf("[+] befor 2 is at %p and have \'%s\'\n",buffer_two,buffer_two);
    printf("[+] befor 1 is at %p and have \'%s\'\n",buffer_one,buffer_one);
    printf("[+] befor value at %p and have %d (0x%08x)\n",&value,value,value);

    printf("\nstrcpy copying %d bytes into buffer_two\n\n",(int)strlen(argv[1]));
    strcpy(buffer_two, argv[1]);

    printf("[+] after 2 is at %p and have \'%s\'\n",buffer_two,buffer_two);
    printf("[+] after 1 is at %p and have \'%s\'\n",buffer_one,buffer_one);
    printf("[+] after value at %p and have %d (0x%08x)\n",&value,value,value);  

    return 0;
}

我用命令编译它:

gcc -o overflow overflow.c

现在我的问题开始了。

而不是将所有变量放入正确的内存位置，(第一个写入将位于最高内存位置，最后一个将位于最低位置，当我用垃圾填充最后一个变量时，它将覆盖所有变量)他们的顺序很奇怪，第一个插入的是 lowes

[+] befor 2 is at 0x7fffdb76e5f0 and have 'two'
[+] befor 1 is at 0x7fffdb76e5e0 and have 'one'
[+] befor value at 0x7fffdb76e5dc and have 5 (0x00000005)

strcpy copying 8 bytes into buffer_two

[+] after 2 is at 0x7fffdb76e5f0 and have '01234567'
[+] after 1 is at 0x7fffdb76e5e0 and have 'one'
[+] after value at 0x7fffdb76e5dc and have 5 (0x00000005)

Answer 1

这里有两件事要提一下。

1. C 标准未指定变量(在堆栈中)的分配顺序。根据不同的优化级别，同一个编译器可能会重新排序变量的分配(从而改变地址)。

2. 访问已分配的内存是 undefined behaviour 。段错误(崩溃)只是 UB 众多副作用中的一个。