Environment:Windows XP+Visual C++(RELEASE MODE)
/*
StackOverrun.c
*/
#include
#include
void foo(const char* input)
{
char buf[10];
//小心这可是stack骗局哦
//我们可以看到参数的漏洞
printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n");
//头号公敌:stack overrun
strcpy(buf, input);
printf("%s\n", buf);
printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}
void bar(void)
{
printf("Augh! I've been hacked!\n");
}
int main(int argc, char* argv[])
{
printf("Address of foo = %p\n", foo);
printf("Address of bar = %p\n", bar); //打印函数的地址
if (argc != 2)
{
printf("Please supply a string as an argument!\n");
return -1;
}
foo(argv[1]);
return 0;
}
After the complied,you can try about his:
>StackOverrun.exe shawntherockisanewbie
Address of foo = 00401000
Address of bar = 00401060
My stack looks like:
00000000
00000000
00000000
7FFDA000
00401091
004010BB
shawntherockisanewbie
Now the stack looks like:
00000000
00000000
77616873
6568746E
6B636F72
6E617369
Now,Windows will pop-up a error-warnning window "The instruction at"0x6e617369" referenced memory at "0x6e617369" .The memory could not be "read"".
Whis is "0x6e617369"?Because the letter "n"'s ASCII is 6e.
How to improve this problem in this case?It's too easy to figure it out.
#include
#include
void foo(const char* in)
{
char buf[64]; //Win32程序可不能接受超过64的字符串命令
strncpy(buf, in, sizeof(buf));
buf[sizeof(buf)] = '\0'; //胜利!
printf("%s\n", buf);
}
void bar(const char* in)
{
printf("Augh! I've been hacked!\n");
}
int main(int argc, char* argv[])
{
if(argc != 2)
{
printf("Usage is %s [string]\n", argv[0]); //提示用法
return -1;
}
printf("Address of foo is %p, address of bar is %p\n", foo, bar); //显示出当前的函数地址
foo(argv[1]); //把接受到的字符传到foo()函数
return 0;
}
The console program of Windows that cant accept more than 64 char.
PS:Secure code tech is not specify to any programming language.
You can get used to it to any programming language what you like in your project.
1 comment:
Good post.
Post a Comment