格式化字符串漏洞,从堆栈打印变量
我正在学习格式字符串漏洞,并且我编写了一个测试程序来尝试它们。这是我的测试程序:
#include <stdio.h>
int main(int argc, char *argv[])
{
char test[] = "Whatever \n";
printf(argv[1]);
return 0;
}
如果我使用 %p 作为 argv[1],它当然会从堆栈中打印出一个地址。如果我输入 %s 作为argv[1],它打印出:
__libc_start_main
我的程序或我的参数做错了什么吗?如何让它从堆栈中打印 test[] 数组?这只是一个例子,我想知道如何从堆栈中打印出任何变量。我刚刚使用这个程序,所以我有一个简单的例子。
I'm learning about format string vulnerabilities, and I've written a test program to try them out on. This is my test program:
#include <stdio.h>
int main(int argc, char *argv[])
{
char test[] = "Whatever \n";
printf(argv[1]);
return 0;
}
If I use %p as argv[1], it of course prints out an address from the stack. If I enter %s
as argv[1], it prints out:
__libc_start_main
Am I doing something wrong with my program, or my arguments? How can I have it print the test[] array from the stack? This is just an example, I want to know how to print out any variable in general from the stack. I was just using this program so I'd have an easy example.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
某些编译器可能会优化 test[] 的定义,该定义不会出现在函数的其他任何位置。尝试在 main 的其他地方使用该数组。
Some compilers might optimize out the definition of test[], which doesn't appear anywhere else in your function. Try using the array elsewhere in main.
test[] 不会位于 printf 中的堆栈顶部。它将位于 argv[1] 和返回地址下方的某个位置,因此您编写的代码将永远无法工作。如果有一种方法让它工作,你将不得不为 argv[1] 提供多个格式说明符。您需要熟悉 C 调用约定、堆栈和一些汇编来解决这个问题。
test[] isn't going to be on the top of the stack within printf. It will be somewhere below argv[1] and the return address, so your code as written will never work. If there's a way to get it to work at all, you're going to have to give it more than one format specifier for argv[1]. You're going to need to familiarize yourself with C calling conventions, the stack, and a bit of assembly to solve this one.