C 为什么这是返回指针的偏移量&引用;“砸烂书堆”;
我正试图像前面描述的那样进行缓冲区溢出,但我无法找到返回指针的偏移量,直到我强制它,我发现它是21。在此之后,我得到了以下内存转储:C 为什么这是返回指针的偏移量&引用;“砸烂书堆”;,c,gdb,disassembly,buffer-overflow,C,Gdb,Disassembly,Buffer Overflow,我正试图像前面描述的那样进行缓冲区溢出,但我无法找到返回指针的偏移量,直到我强制它,我发现它是21。在此之后,我得到了以下内存转储: (gdb) r 21 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/sergiuser/test 21 Breakpoint 1, function (a=1, b=2, c=
(gdb) r 21
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/sergiuser/test 21
Breakpoint 1, function (a=1, b=2, c=21) at test.c:8
8 ret = buffer1 + c;
(gdb) print &buffer1
$3 = (char (*)[5]) 0x7fffffffde63
(gdb) x/32xw 0x7fffffffde63
0x7fffffffde63: 0x00000000 0xe0585400 0x007ffff7 0xffdea000
0x7fffffffde73: 0x007fffff 0x5551bb00 0x00555555 0xffdf9800
0x7fffffffde83: 0x007fffff 0x55505000 0x00000255 0xffdf9000
0x7fffffffde93: 0x007fffff 0x00001500 0x00000000 0x5551e000
0x7fffffffdea3: 0x00555555 0xdef15200 0x007ffff7 0xffdf9800
0x7fffffffdeb3: 0x007fffff 0xdeef7300 0x000002f7 0x55517b00
0x7fffffffdec3: 0x00555555 0x00000000 0x00000800 0x00000000
0x7fffffffded3: 0x00000000 0xf27a4500 0x3360fb15 0x55505067
(gdb) bt
#0 function (a=1, b=2, c=21) at test.c:8
#1 0x00005555555551bb in main (argc=2, argv=0x7fffffffdf98) at test.c:17
(gdb) c
Continuing.
0
[Inferior 1 (process 344541) exited with code 02]
(gdb)
我不明白这个偏移为什么起作用,因为我在内存中找不到返回地址
下面是我的程序中修改过的代码,唯一的区别是我使用了一个输入参数作为偏移量:
#include "stdio.h"
#include <stdlib.h>
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
char *ret;
ret = buffer1 + c;
(*ret) += 5;
}
void main(int argc, char** argv) {
int x = 0;
int c = atoi(argv[1]);
function(1, 2, c);
x += 1000 ;
printf("%d\n", x);
}
#包括“stdio.h”
#包括
虚函数(inta,intb,intc){
字符缓冲区1[5];
字符缓冲区2[10];
char*ret;
ret=1+c;
(*ret)+=5;
}
void main(整型argc,字符**argv){
int x=0;
int c=atoi(argv[1]);
功能(1,2,c);
x+=1000;
printf(“%d\n”,x);
}
在这行的中间,我们找到了您要查找的地址0x000055551bb
0x7fffffffde73: 0x007fffff 0x5551bb00 0x00555555 0xffdf9800
在0x7fffffffde63
之后正好是21个字节
您可能需要交换一些字节以尊重尾数和堆栈对齐。谢谢,这就解决了问题。由于x86的endianness,我没有看到返回地址。要添加偏移量为21的原因:
char
数组为5字节,堆栈指针为8字节,返回指针为8字节,字大小为64位(8字节),因为它是64位机器。