为什么这是 return 指针的偏移量? "smashing the stack"
Why is this the offset of the return pointer? "smashing the stack"
我正在尝试像描述的那样进行缓冲区溢出 here, and I couldn't find the offset of the return pointer until I brute forced it, and I found it to be 21. Following this Whosebug post,我得到了以下内存转储:
(gdb) r 21
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/sergiuser/test 21
Breakpoint 1, function (a=1, b=2, c=21) at test.c:8
8 ret = buffer1 + c;
(gdb) print &buffer1
= (char (*)[5]) 0x7fffffffde63
(gdb) x/32xw 0x7fffffffde63
0x7fffffffde63: 0x00000000 0xe0585400 0x007ffff7 0xffdea000
0x7fffffffde73: 0x007fffff 0x5551bb00 0x00555555 0xffdf9800
0x7fffffffde83: 0x007fffff 0x55505000 0x00000255 0xffdf9000
0x7fffffffde93: 0x007fffff 0x00001500 0x00000000 0x5551e000
0x7fffffffdea3: 0x00555555 0xdef15200 0x007ffff7 0xffdf9800
0x7fffffffdeb3: 0x007fffff 0xdeef7300 0x000002f7 0x55517b00
0x7fffffffdec3: 0x00555555 0x00000000 0x00000800 0x00000000
0x7fffffffded3: 0x00000000 0xf27a4500 0x3360fb15 0x55505067
(gdb) bt
#0 function (a=1, b=2, c=21) at test.c:8
#1 0x00005555555551bb in main (argc=2, argv=0x7fffffffdf98) at test.c:17
(gdb) c
Continuing.
0
[Inferior 1 (process 344541) exited with code 02]
(gdb)
我不明白为什么这个偏移量有效,因为我在内存中找不到 return 地址。
这是我的程序修改后的代码,唯一的区别是我使用输入参数作为偏移量:
#include "stdio.h"
#include <stdlib.h>
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
char *ret;
ret = buffer1 + c;
(*ret) += 5;
}
void main(int argc, char** argv) {
int x = 0;
int c = atoi(argv[1]);
function(1, 2, c);
x += 1000 ;
printf("%d\n", x);
}
在这一行的中间,我们找到了您要查找的地址 0x00005555555551bb。
0x7fffffffde73: 0x007fffff 0x5551bb00 0x00555555 0xffdf9800
0x7fffffffde63之后刚好是 21 个字节。
您可能需要交换一些字节以遵守字节序和堆栈对齐。
我正在尝试像描述的那样进行缓冲区溢出 here, and I couldn't find the offset of the return pointer until I brute forced it, and I found it to be 21. Following this Whosebug post,我得到了以下内存转储:
(gdb) r 21
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/sergiuser/test 21
Breakpoint 1, function (a=1, b=2, c=21) at test.c:8
8 ret = buffer1 + c;
(gdb) print &buffer1
= (char (*)[5]) 0x7fffffffde63
(gdb) x/32xw 0x7fffffffde63
0x7fffffffde63: 0x00000000 0xe0585400 0x007ffff7 0xffdea000
0x7fffffffde73: 0x007fffff 0x5551bb00 0x00555555 0xffdf9800
0x7fffffffde83: 0x007fffff 0x55505000 0x00000255 0xffdf9000
0x7fffffffde93: 0x007fffff 0x00001500 0x00000000 0x5551e000
0x7fffffffdea3: 0x00555555 0xdef15200 0x007ffff7 0xffdf9800
0x7fffffffdeb3: 0x007fffff 0xdeef7300 0x000002f7 0x55517b00
0x7fffffffdec3: 0x00555555 0x00000000 0x00000800 0x00000000
0x7fffffffded3: 0x00000000 0xf27a4500 0x3360fb15 0x55505067
(gdb) bt
#0 function (a=1, b=2, c=21) at test.c:8
#1 0x00005555555551bb in main (argc=2, argv=0x7fffffffdf98) at test.c:17
(gdb) c
Continuing.
0
[Inferior 1 (process 344541) exited with code 02]
(gdb)
我不明白为什么这个偏移量有效,因为我在内存中找不到 return 地址。
这是我的程序修改后的代码,唯一的区别是我使用输入参数作为偏移量:
#include "stdio.h"
#include <stdlib.h>
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
char *ret;
ret = buffer1 + c;
(*ret) += 5;
}
void main(int argc, char** argv) {
int x = 0;
int c = atoi(argv[1]);
function(1, 2, c);
x += 1000 ;
printf("%d\n", x);
}
在这一行的中间,我们找到了您要查找的地址 0x00005555555551bb。
0x7fffffffde73: 0x007fffff 0x5551bb00 0x00555555 0xffdf9800
0x7fffffffde63之后刚好是 21 个字节。
您可能需要交换一些字节以遵守字节序和堆栈对齐。