gcc 编译器是否总是将整数放在内存中的字符数组之前?
Are integers always placed before character array in memory by the gcc compiler?
我正在尝试使用 HTAOE 书中的 C 语言进行简单的缓冲区溢出。这是代码:
#include<stdio.h>
#include<string.h>
int main(int argc, char *argv[]){
int val0=10;
char buffer_two[8], buffer_one[8];
int val1=5;
strcpy(buffer_one, "one");
strcpy(buffer_two, "two");
printf("[BEFORE] buffer_two is at @%p contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at @%p contains \'%s\'\n", buffer_one, buffer_one);
printf("[BEFORE] val1 is @%p and contains \'%d\' [0x%08x]\n", &val1, val1, val1);
printf("[BEFORE] val0 is @%p and contains \'%d\' [0x%08x]\n", &val0, val0, val0);
printf("Copying the argv[1], which is %ld bytes, into buffer_two..\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]);
printf("[AFTER] buffer_two is at @%p contains \'%s\'\n", buffer_two, buffer_two);
printf("[AFTER] val1 is @%p and contains \'%d\' [0x%08x]\n", &val1, val1, val1);
printf("[AFTER] val0 is @%p and contains \'%d\' [0x%08x]\n", &val0, val0, val0);
return 0;
}
正常编译后(没有额外的标志),我 运行 它(缓冲区溢出预期)使用
./overflow_example "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
其中 "AA....." 是第一个参数,A 的数量超过 16。正如预期的那样,溢出发生在 buffer_one 中。但我预计溢出也会发生在整数 val0 或 val1 中。失败。
我注意到整数放在堆栈中的字符数组之前,为什么?所以那里没有发生溢出。输出:
[BEFORE] buffer_two is at @0x7fffa43fa1a8 contains 'two'
[BEFORE] buffer_one is at @0x7fffa43fa1b0 contains 'one'
[BEFORE] val1 is @0x7fffa43fa1a4 and contains '5' [0x00000005]
[BEFORE] val0 is @0x7fffa43fa1a0 and contains '10' [0x0000000a]
Copying the argv[1], which is 45 bytes, into buffer_two..
[AFTER] buffer_two is at @0x7fffa43fa1a8 contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] buffer_one is at @0x7fffa43fa1b0 contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] val1 is @0x7fffa43fa1a4 and contains '5' [0x00000005]
[AFTER] val0 is @0x7fffa43fa1a0 and contains '10' [0x0000000a]
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
我的问题是如何指示编译器不将整数放在字符数组之前,而是将它们放在堆栈中字符数组的后面,这样就可能发生溢出。我在期待不可能的事情吗?有可能这样做吗?或者它是微不足道的,比如用 gcc 命令提供一个标志?
请帮忙。
:)
PS : 运行ning of Ubuntu X86-64 机器
你要求帮助你以一种明智的方式调用未定义的行为,这通常会让你落选,因为 Stack Overflow 是为了编写好的软件,而不是可故意利用的软件。
也就是说,您可以尝试将相关变量放在一个结构中:
int main(int argc, char *argv[]){
struct {
int val0;
char buffer_two[8];
char buffer_one[8];
int val1;
} group = {
.val0 = 10,
.val1 = 5,
};
strcpy(group.buffer_one, "one");
strcpy(group.buffer_two, "two");
// ...
}
我正在尝试使用 HTAOE 书中的 C 语言进行简单的缓冲区溢出。这是代码:
#include<stdio.h>
#include<string.h>
int main(int argc, char *argv[]){
int val0=10;
char buffer_two[8], buffer_one[8];
int val1=5;
strcpy(buffer_one, "one");
strcpy(buffer_two, "two");
printf("[BEFORE] buffer_two is at @%p contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at @%p contains \'%s\'\n", buffer_one, buffer_one);
printf("[BEFORE] val1 is @%p and contains \'%d\' [0x%08x]\n", &val1, val1, val1);
printf("[BEFORE] val0 is @%p and contains \'%d\' [0x%08x]\n", &val0, val0, val0);
printf("Copying the argv[1], which is %ld bytes, into buffer_two..\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]);
printf("[AFTER] buffer_two is at @%p contains \'%s\'\n", buffer_two, buffer_two);
printf("[AFTER] val1 is @%p and contains \'%d\' [0x%08x]\n", &val1, val1, val1);
printf("[AFTER] val0 is @%p and contains \'%d\' [0x%08x]\n", &val0, val0, val0);
return 0;
}
正常编译后(没有额外的标志),我 运行 它(缓冲区溢出预期)使用
./overflow_example "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
其中 "AA....." 是第一个参数,A 的数量超过 16。正如预期的那样,溢出发生在 buffer_one 中。但我预计溢出也会发生在整数 val0 或 val1 中。失败。
我注意到整数放在堆栈中的字符数组之前,为什么?所以那里没有发生溢出。输出:
[BEFORE] buffer_two is at @0x7fffa43fa1a8 contains 'two'
[BEFORE] buffer_one is at @0x7fffa43fa1b0 contains 'one'
[BEFORE] val1 is @0x7fffa43fa1a4 and contains '5' [0x00000005]
[BEFORE] val0 is @0x7fffa43fa1a0 and contains '10' [0x0000000a]
Copying the argv[1], which is 45 bytes, into buffer_two..
[AFTER] buffer_two is at @0x7fffa43fa1a8 contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] buffer_one is at @0x7fffa43fa1b0 contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] val1 is @0x7fffa43fa1a4 and contains '5' [0x00000005]
[AFTER] val0 is @0x7fffa43fa1a0 and contains '10' [0x0000000a]
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
我的问题是如何指示编译器不将整数放在字符数组之前,而是将它们放在堆栈中字符数组的后面,这样就可能发生溢出。我在期待不可能的事情吗?有可能这样做吗?或者它是微不足道的,比如用 gcc 命令提供一个标志?
请帮忙。
:)
PS : 运行ning of Ubuntu X86-64 机器
你要求帮助你以一种明智的方式调用未定义的行为,这通常会让你落选,因为 Stack Overflow 是为了编写好的软件,而不是可故意利用的软件。
也就是说,您可以尝试将相关变量放在一个结构中:
int main(int argc, char *argv[]){
struct {
int val0;
char buffer_two[8];
char buffer_one[8];
int val1;
} group = {
.val0 = 10,
.val1 = 5,
};
strcpy(group.buffer_one, "one");
strcpy(group.buffer_two, "two");
// ...
}