更新时间:2023-09-11 23:03:16
实际上,漏洞在于你可以将字符存储在使用 alloca
分配的缓冲区中的任意偏移量,但是测试是在 length
而不是 size
上完成的.传递 65535
和 a1
的参数会调用未定义的行为:size
as value 0
因为算术环绕 if unsigned short
有 16 位.
Actually, the vulnerability lies in the fact that you can store a character at any offset in the buffer allocated with alloca
, but the test is done on length
rather than size
. passing arguments of 65535
and a1
invokes undefined behavior: size
as value 0
because of arithmetic wraparound if unsigned short
has 16 bits.
您可以尝试传递 65535 的第一个参数和具有增加偏移量的后续参数,这将戳出 buffer
末尾的值,可能会覆盖 main
的返回地址并导致崩溃:
You can try passing a first argument of 65535 and subsequent arguments with increasing offsets, that will poke values beyond the end of buffer
, possibly overwriting the return address of main
and causing a crash:
myprog 65535 a3 a7 a15 a19 a23 a27 a31 a35 a39 a43 a47 a51 a55 a59 a63 ...
根据实际的局部变量布局,需要的偏移量可能大于17
,但应小于80
.
Depending on the actual local variable layout, the required offset may be larger than 17
, but should be smaller than 80
.