Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/c/63.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
缓冲区溢出strcpy()_C_Byte_Buffer_Buffer Overflow_Strcpy - Fatal编程技术网
Fatal编程技术网
  • c/
  • 缓冲区溢出strcpy()

缓冲区溢出strcpy()

c

缓冲区溢出strcpy(),c,byte,buffer,buffer-overflow,strcpy,C,Byte,Buffer,Buffer Overflow,Strcpy,我想知道运行外壳代码需要溢出多少字节 int-fun(字符数据[256]){ int i; char*tmp; strcpy(tmp,数据); } 众所周知: 如果字符串chain*数据大于*tmp,则会出现溢出 否则将不会出现缓冲区溢出 为编译器提供了一种通用方法。这是一个计算机硕士的考试。我们必须解释这两种情况: -例如,当*tmp[200]时,以及 -当*tmp[300]即案例或*tmp大于*数据(无溢出)且*tmp小于*数据(溢出)时 如何知道代码执行时被淹没的字节数?*tmp未初始

我想知道运行外壳代码需要溢出多少字节

int-fun(字符数据[256]){
int i;
char*tmp;
strcpy(tmp,数据);
}
众所周知:

  • 如果字符串chain*数据大于*tmp,则会出现溢出

  • 否则将不会出现缓冲区溢出

      • 为编译器提供了一种通用方法。这是一个计算机硕士的考试。我们必须解释这两种情况:

      -例如,当*tmp[200]时,以及

      -当*tmp[300]即案例或*tmp大于*数据(无溢出)且*tmp小于*数据(溢出)时

      如何知道代码执行时被淹没的字节数?

      *tmp
      未初始化,因此通常会出现分段错误

      一个更好的例子是更改
      char*tmp
      到类似于
      chartmp[64]的东西并将数据中的内容(本例中超过64字节的内容)复制到tmp。要从上面回答您的问题,您需要在更改代码后启动一个类似gdb的调试器,然后查看在覆盖RIP之前可以写多少。在我的系统上是78字节
      

      marshall@marshall-debian-testbed:~$ cat bof.c
int fun (char data[256]) {
int i;
char tmp[64];
strcpy(tmp,data);
}

int main (int argc, char *argv[]) {
fun(argv[1]);
return(0);
}
marshall@marshall-debian-testbed:~$ gcc bof.c -o bof
bof.c: In function ‘fun’:
bof.c:4:1: warning: implicit declaration of function ‘strcpy’ [-Wimplicit-function-declaration]
 strcpy(tmp,data);
 ^~~~~~
bof.c:4:1: warning: incompatible implicit declaration of built-in function ‘strcpy’
bof.c:4:1: note: include ‘<string.h>’ or provide a declaration of ‘strcpy’
marshall@marshall-debian-testbed:~$ ./bof AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
marshall@marshall-debian-testbed:~$ gdb ./bof
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bof...(no debugging symbols found)...done.
(gdb) disas main
Dump of assembler code for function main:
   0x00000000000006d2 <+0>:     push   %rbp
   0x00000000000006d3 <+1>:     mov    %rsp,%rbp
   0x00000000000006d6 <+4>:     sub    $0x10,%rsp
   0x00000000000006da <+8>:     mov    %edi,-0x4(%rbp)
   0x00000000000006dd <+11>:    mov    %rsi,-0x10(%rbp)
   0x00000000000006e1 <+15>:    mov    -0x10(%rbp),%rax
   0x00000000000006e5 <+19>:    add    $0x8,%rax
   0x00000000000006e9 <+23>:    mov    (%rax),%rax
   0x00000000000006ec <+26>:    mov    %rax,%rdi
   0x00000000000006ef <+29>:    callq  0x6b0 <fun>
   0x00000000000006f4 <+34>:    mov    $0x0,%eax
   0x00000000000006f9 <+39>:    leaveq
   0x00000000000006fa <+40>:    retq
End of assembler dump.
(gdb) disas fun
Dump of assembler code for function fun:
   0x00000000000006b0 <+0>:     push   %rbp
   0x00000000000006b1 <+1>:     mov    %rsp,%rbp
   0x00000000000006b4 <+4>:     sub    $0x50,%rsp
   0x00000000000006b8 <+8>:     mov    %rdi,-0x48(%rbp)
   0x00000000000006bc <+12>:    mov    -0x48(%rbp),%rdx
   0x00000000000006c0 <+16>:    lea    -0x40(%rbp),%rax
   0x00000000000006c4 <+20>:    mov    %rdx,%rsi
   0x00000000000006c7 <+23>:    mov    %rax,%rdi
   0x00000000000006ca <+26>:    callq  0x560 <strcpy@plt>
   0x00000000000006cf <+31>:    nop
   0x00000000000006d0 <+32>:    leaveq
   0x00000000000006d1 <+33>:    retq
End of assembler dump.
(gdb) r `perl -e 'print "A"x78;'`
Starting program: /home/marshall/bof `perl -e 'print "A"x78;'`

Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()
(gdb) info registers
rax            0x7fffffffdce0   140737488346336
rbx            0x0      0
rcx            0x4141414141414141       4702111234474983745
rdx            0x414141 4276545
rsi            0x7fffffffe140   140737488347456
rdi            0x7fffffffdd23   140737488346403
rbp            0x4141414141414141       0x4141414141414141
rsp            0x7fffffffdd30   0x7fffffffdd30
r8             0x555555554770   93824992233328
r9             0x7ffff7de99e0   140737351948768
r10            0x5b     91
r11            0x7ffff7b9ab28   140737349528360
r12            0x555555554580   93824992232832
r13            0x7fffffffde20   140737488346656
r14            0x0      0
r15            0x0      0
rip            0x414141414141   0x414141414141
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb)

      

      marshall@marshall-debian试验台:~$cat bof.c
int fun(字符数据[256]){
int i;
char-tmp[64];
strcpy(tmp,数据);
}
int main(int argc,char*argv[]){
fun(argv[1]);
返回(0);
}
marshall@marshall-debian测试平台:~$gcc bof.c-o bof
bof.c:在函数“fun”中:
bof.c:4:1:警告:函数“strcpy”的隐式声明[-Wimplicit函数声明]
strcpy(tmp,数据);
^~~~~~
bof.c:4:1:警告:内置函数“strcpy”的隐式声明不兼容
bof.c:4:1:注意:包括“”或提供“strcpy”声明
marshall@marshall-debian试验台:~$/桶aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
分段故障
marshall@marshall-debian测试平台:~$gdb./bof
GNU gdb(Debian 7.12-6)7.12.0.20161007-git
版权所有(C)2016免费软件基金会。
许可证GPLv3+:GNU GPL版本3或更高版本
这是自由软件:您可以自由更改和重新发布它。
在法律允许的范围内,不存在任何担保。键入“显示复制”
和“显示保修”了解详细信息。
此GDB配置为“x86_64-linux-gnu”。
键入“显示配置”以获取配置详细信息。
有关错误报告说明,请参阅:
.
在线查找GDB手册和其他文档资源,网址为:
.
要获得帮助,请键入“帮助”。
键入“apropos word”以搜索与“word”相关的命令。。。
正在从./bof…读取符号(未找到调试符号)…已完成。
(gdb)disas main
主功能的汇编程序代码转储:
0x00000000000006d2:推送%rbp
0x00000000000006d3:mov%rsp,%rbp
0x00000000000006d6:sub$0x10,%rsp
0x00000000000006da:mov%edi,-0x4(%rbp)
0x00000000000006dd:mov%rsi,-0x10(%rbp)
0x00000000000006e1:mov-0x10(%rbp),%rax
0x00000000000006e5:添加$0x8,%rax
0x00000000000006e9:mov(%rax),%rax
0x00000000000006ec:mov%rax,%rdi
0x00000000000006ef:callq 0x6b0
0x00000000000006f4:mov$0x0,%eax
0x00000000000006f9:LEVEQ
0x00000000000006fa:retq
汇编程序转储结束。
(gdb)disas fun
函数乐趣的汇编程序代码转储:
0x00000000000006b0:推送%rbp
0x00000000000006b1:mov%rsp,%rbp
0x00000000000006b4:sub$0x50,%rsp
0x00000000000006b8:mov%rdi,-0x48(%rbp)
0x00000000000006bc:mov-0x48(%rbp),%rdx
0x00000000000006c0:lea-0x40(%rbp),%rax
0x00000000000006c4:mov%rdx,%rsi
0x00000000000006c7:mov%rax,%rdi
0x00000000000006ca:callq 0x560
0x00000000000006cf:nop
0x00000000000006d0:LEVEQ
0x00000000000006d1:retq
汇编程序转储结束。
(gdb)r`perl-e'打印“A”x78;'`
启动程序:/home/marshall/bof`perl-e'打印“A”x78;'`
程序接收信号SIGSEGV,分段故障。
0x00004141英寸??()
(gdb)信息寄存器
rax 0x7FFFFFDCE0 140737488346336
rbx 0x0 0
rcx 0x414141470211123447474744983745
rdx 0x414141 4276545
rsi 0x7FFFFFE140 140737488347456
rdi 0x7FFFFFDD23 140737488346403
rbp 0x4141 0x4141
rsp 0x7FFFFFDD30 0x7FFFFFDD30
r8 0x554770 93824992233328
r9 0x7ffff7de99e0 140737351948768
r10 0x5b 91
r11 0x7FF7B9AB28 140737349528360
r12 0x554580 93824992232832
r13 0x7fffffffde20 140737488346656
r14 0x0 0
r15 0x0 0
rip 0x4141 0x4141
eflags 0x10202[如果为RF]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)

      这完全取决于您的编译器、设置、操作系统以及其他一些因素。
      *tmp
      是未初始化的,因此将任何内容复制到它是未定义的行为。