Beruflich Dokumente
Kultur Dokumente
? ?
2011 - 2012
(Integer overflow)
Widthness overflows
.
:
2.
#include <stdio.h>
int main(void){
int l;
short s;
char c;
l = 0xdeadbeef;
s = l;
c = l;
printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8);
printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8);
printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8);
return 0;
}
? ?
Exploiting -
.
(overwriting)
, .
,
. ,
, . ,
,
.
,
, .
, ,
:
2011 - 2012
3.
/* width1.c - exploiting a trivial widthness bug */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]){
unsigned short s;
int i;
char buf[80];
if(argc < 3){
return -1;
}
i = atoi(argv[1]);
s = i;
if(s >= 80){
/* [w1] */
printf("Oh no you don't!\n");
return -1;
}
printf("s = %d\n", s);
memcpy(buf, argv[2], i);
buf[i] = '\0';
printf("%s\n", buf);
return 0;
,
.
5 hello
80 hello
65536 hello
? ?
(Arithmetic overflows)
,
,
, .
,
, ,
.
:
2011 - 2012
4.
/* ex2.c - an integer overflow */
#include <stdio.h>
int main(void){
unsigned int num = 0xffffffff;
printf("num is %d bits long\n", sizeof(num) * 8);
printf("num = 0x%x\n", num);
printf("num + 1 = 0x%x\n", num + 1);
return 0;
}
? ?
5.
/* ex4.c - various arithmetic overflows */
#include <stdio.h>
int main(void){
int l, x;
l = 0x40000000;
printf("l = %d (0x%x)\n", l, l);
x = l + 0xc0000000;
printf("l + 0xc0000000 = %d (0x%x)\n", x, x);
x = l * 0x4;
printf("l * 0x4 = %d (0x%x)\n", x, x);
x = l - 0xffffffff;
printf("l - 0xffffffff = %d (0x%x)\n", x, x);
return 0;
}
? ?
.
. ,
dVal.
:
6.
#include <stdio.h>
void main(void)
{
int dVal;
printf("The value is %d\n",dVal);
}
2011 - 2012
"%d" "dVal".
? ?
(hexadecimal)
:
7.
#include <stdio.h>
void main(void)
{
int dVal;
printf("The value in decimal is %d\n",dVal);
printf("The value in hexadecimal is %x\n",dVal);
}
#include <stdio.h>
int main()
{
int bytes_formatted=0;
char buffer[28]=ABCDEFGHIJKLMNOPQRSTUVWXYZ;
6. printf(%.20x%n,buffer,&bytes_formatted);
7. printf(\nThe number of bytes formatted in the previous
printf statement was %d\n,bytes_formatted);
8. return 0;
9. }
:
2011 - 2012
? ?
9.
#include <stdio.h>
void main(int argc, char *argv[])
{
int count = 1;
while(argc > 1)
{
printf(argv[count]);
printf( );
count ++;
argc --;
}
}
? ?
, .
.
,
.
.
10.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (int argc, char* argv[])
{
char buf [100];
int x = 1;
_snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0;
printf ( "Buffer size is: (%d) \nData input: %s \n" ,
strlen (buf) , buf ) ;
printf ( "X equals: %d/ in hex: %#x\nMemory address for
x: (%p) \n" , x, x, &x) ;
return 0 ;
}
.
2011 - 2012
Bob .
.
"%x%" ,
(parses) , Bob,
%x
.
Bob buf
%s (Data input). printf
:
printf ( Buffer size is: (%d) \n Data input: Bob %x %x \n ,
strlen (buf) , buf ) ;
,
, .
.
11.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
char buf [100]="";
int x = 1;
int count = 1;
strncpy ( buf, argv [1], sizeof buf) ;
buf [ sizeof buf -1 ] = 0;
printf ( "Buffer size is: (%d) \n" , strlen (buf) ) ;
printf("Data input:");
while(argc > 1)
{
printf( argv[count]);
printf(" ");
count ++;
argc --;
}
printf ( "\n X equals: %d/ in hex: %#x\nMemory address for x:
(%p) \n" , x, x, &x) ;
return 0 ;