1

所以我正在为一个安全类分配任务,任务是使用堆栈溢出来调用从未在程序中使用过的函数 oopsDidISmashTheStack。

#include <stdio.h>
#include <stdlib.h>

int oopsDidISmashTheStack(void)
{
    printf("Yup, smashing the stack is fun!\n");
    exit(0);
}

int getUserInput (void)
{
    char buf[12];
    gets(buf);
    return(1);
}

int main(void)
{
    getUserInput ();
    printf("Overflow failed, normal return\n");
    return(1);
}

我理解在 buf 变量是 sfp 之后的概念,然后我无法弄清楚的返回地址是将返回值更改为函数所在的地址 0x080484fc 的输入。我认为填充缓冲区需要 12 个字符,然后我的印象是 sfp 并返回 4 个字节,所以我尝试用另外 4 个随机字符填充 sfp,然后使用 \xfc\x84\x04\x08 来制作返回地址指向函数。

如果有人熟悉堆栈内存的工作原理并且可以解释我哪里出错了,那会很棒吗?

4

1 回答 1

0

You're pretty much on the right track. I suggest you look at the stack and see if the return address is where you think it is. There might be something else in there. Also double check the endien-ness,

I assume this is your input string?

"012345678901xxxx\xfc\x84\x04\x08"

What is the output of your program, generally if you're close but don't get it quite right the program crashes :)

于 2013-10-01T02:34:38.950 回答