在利用这段代码并发现如果你输入16个不同的数字Output using exploit后,我试图理解为什么会这样。是因为内存位置吗?
#include <stdio.h>
#include <stdlib.h>
#include<time.h>
int main(int argc, char *argv[]) {
int entry[6];
int results[6];
int i = 0, tmp = 0;
/* Generate power balls */
srand(time(NULL));
for (int i = 0; i < 6; i++) {
results[i] = rand() % 99;
}
printf("RULE: You are to enter a sequence of six two-digit numbers between 10 and 99. \n");
printf(" - The numbers should be separated by a single space. \n");
printf(" - The seventh number should be -1, indicating the completion of the sequence \n");
printf("Enter the numbers: \n");
while(tmp != -1) {
scanf("%d", &tmp);
if (tmp == -1) break;
entry[i] = tmp;
i++;
}
/* Check results */
int match = 0;
for (int i = 0; i < 6; i++) {
printf("The lottery number is: %d\n", results[i]);
printf("Your guess is: %d\n", entry[i]);
if (results[i] == entry[i]) {
match++;
}
}
if (match != 6){
printf("Unfortunately, there has been a mismatch! Better luck next time!\n");
}
else {
printf("Congratulations, all the numbers match! You have won a gazillion dollars \n");
}
return 0;
}我试着找出每个数组的内存位置:Entry/Results系统
但我不明白它们是如何联系在一起的,甚至不知道它们是否是漏洞利用的一部分。
1条答案
按热度按时间kcrjzv8t1#
在我的机器上,
sizeof (int)为4,这些数组以32字节的间隔对齐results被放置在entry之后,并且在它们之间具有8字节的填充。直到
tmp变为-1,i将继续递增,将tmp的值写入entry[i]。这最终溢出entry,并开始写入填充字节,然后写入results数组。在我的机器上,
i、tmp和match被放置在数组 * 之前 *,而跟在数组后面的可能是金丝雀,当它们的值被更改时,它们会触发堆栈保护。仅输入14个值而不是16个值,然后输入
-1,会导致results数组被完全覆盖,而不会触发任何堆栈保护。不过,这些都属于Undefined Behaviour的范围。