tom写道：

我正在尝试理解格式字符串漏洞。源自

埃里克森的黑客行为：剥削的艺术。

[...未定义的行为被剪断......]

知道有人为什么不工作？

因为未定义的行为是未定义的。 C语言

完全不保证你的代码会做什么，所以它很难用c来预期它的行为的解释。

这个行为可能在特定的实现方面有意义

的C，但是（1）你没有透露你使用的实现和

（2）即使你有，也没有人会在乎。


如果这个Erickson声明你的破解程序将会&b> b $ b表示这样做 - 和 - 这样，他错了。


-

Eric Sosman
es ***** @ acm-dot-org.inva lid

tom写道：

我正在尝试理解格式字符串漏洞。来源

埃里克森的黑客行为：剥削的艺术。


#include< stdlib.h>

别忘了包含< stdio.hand< string.h&gt ;.

int main（int argc，char * argv []）{

char text [1024];

static int testVal = -72;


if（argc< 2）{

printf（" Usage：％s< text\\\
"，argv [0]）;

退出（0）;

}

strcpy（text，argv [1]）;

如果你想找出问题，为什么不在这里溢出缓冲区

？如果您之前已经尝试过，并弄清楚

是如何工作的，那么现在应该真正修复这部分代码。

printf （正确的方式：\ n）;

//正确的打印方式

printf（"％s"，text）;


printf（" \\\
Wrong way：\ n"）;

//错误的打印方式

printf（text）;


printf（" \ n"）;


// debug

printf（" \ n [*] testVal @ 0x％08x =％d（0x％08x）hex \ n"，& testVal，testVal，

testVal）;

testVal在初始化后永远不会被修改，所以

一些编译器只需要在这里加载一个常量，而不是重新读取

变量。

退出（0）;

}


我试图覆盖testval：


./fmt_vuln`printf" \ x20 \ x97 \ x04 \ x08"`％x。％x。％x ％n

就标准C而言，行为是未定义的。

不同的实现将表现不同。即使在特定的
系统上，确切的行为也可能取决于编译器的优化级别和其他编译器选项。例如，一些

系统提供了针对这些类型的b
攻击的内置保护。

Eric Sosman写道：

tom写道：

>我正在尝试理解格式字符串漏洞。源自埃里克森的黑客：剥削的艺术。
[...许多未定义的行为被削减......]
知道有人为什么不起作用？

因为未定义的行为是未定义的。 C语言

完全不保证你的代码会做什么，所以它很难用c来预期它的行为的解释。

这个行为可能在特定的实现方面有意义

的C，但是（1）你没有透露你使用的实现和

（2）即使你有，也没有人会在意。

（1）

Im trying understand format string vulnerability. Source along
Erickson''s HACKING: The Art of Exploitation.
#include <stdlib.h>

int main(int argc, char *argv[]){
char text[1024];
static int testVal = -72;

if(argc < 2){
printf("Usage: %s <text\n", argv[0]);
exit(0);
}
strcpy(text, argv[1]);

printf("Right way: \n");
//right way to print
printf("%s", text);
printf("\nWrong way:\n");
//wrong way to print
printf(text);

printf("\n");

//debug
printf("\n[*] testVal @ 0x%08x = %d (0x%08x)hex \n", &testVal, testVal,
testVal);

exit(0);
}

Im trying to overwrite testval:
../fmt_vuln `printf "\x20\x97\x04\x08"`%x.%x.%x%n
Right way:
%x.%x.%x%n
Wrong way:
bfbfe748.b7ff3de7.b80016a4
[*] testVal @ 0x08049720 = -72 (0xffffffb8)hex
Know somebody why didn''t it work?
Thanks for answers.
--
TP

tom wrote:

Im trying understand format string vulnerability. Source along
Erickson''s HACKING: The Art of Exploitation.
[... much undefined behavior snipped ...]
Know somebody why didn''t it work?

Because undefined behavior is "undefined." The C language
makes no guarantees at all about what your code will do, so it
is silly to expect an explanation of its behavior in terms of C.
The behavior may make sense in terms of a specific implementation
of C, but (1) you didn''t reveal what implementation you used and
(2) even if you had, nobody would care much.

If this Erickson states that your broken program "will"
behave in thus-and-such a way, he''s wrong.

--
Eric Sosman
es*****@acm-dot-org.invalid

tom wrote:

Im trying understand format string vulnerability. Source along
Erickson''s HACKING: The Art of Exploitation.
#include <stdlib.h>

Don''t forget to include <stdio.hand <string.h>.

int main(int argc, char *argv[]){
char text[1024];
static int testVal = -72;

if(argc < 2){
printf("Usage: %s <text\n", argv[0]);
exit(0);
}
strcpy(text, argv[1]);

If you''re looking to cause problems, why not just overflow the buffer
here? If you already tried that earlier, and figured out how that
works, you should really fix this part of the code now.

printf("Right way: \n");
//right way to print
printf("%s", text);
printf("\nWrong way:\n");
//wrong way to print
printf(text);

printf("\n");

//debug
printf("\n[*] testVal @ 0x%08x = %d (0x%08x)hex \n", &testVal, testVal,
testVal);

testVal is never modified after initialisation, so it makes sense for
some compilers to just load a constant here, rather than re-reading
the variable.

exit(0);
}

Im trying to overwrite testval:
./fmt_vuln `printf "\x20\x97\x04\x08"`%x.%x.%x%n

As far as standard C is concerned, the behaviour is undefined.
Different implementations will behave differently. Even on a specific
system, the exact behaviour will likely depend on your compiler''s
optimisation level and other compiler options. For example, some
systems provide built-in protection against exactly these sorts of
attacks.

Eric Sosman wrote:

tom wrote:

>Im trying understand format string vulnerability. Source along
Erickson''s HACKING: The Art of Exploitation.
[... much undefined behavior snipped ...]
Know somebody why didn''t it work?

Because undefined behavior is "undefined." The C language
makes no guarantees at all about what your code will do, so it
is silly to expect an explanation of its behavior in terms of C.
The behavior may make sense in terms of a specific implementation
of C, but (1) you didn''t reveal what implementation you used and
(2) even if you had, nobody would care much.

(1)