#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #define PORT 9090 /* Changing this size will change the layout of the stack. * We have added 2 dummy arrays: in main() and myprintf(). * Instructors can change this value each year, so students * won’t be able to use the solutions from the past. * Suggested value: between 0 and 300 */ #ifndef DUMMY_SIZE #define DUMMY_SIZE 100 #endif char *secret = "A secret message\n"; unsigned int target = 0x11223344; void myprintf(char *msg) { uintptr_t framep; // Copy the ebp value into framep, and print it out asm("movl %%ebp, %0" : "=r"(framep)); printf("The ebp value inside myprintf() is: 0x%.8x\n", framep); /* Change the size of the dummy array to randomize the parameters for this lab. Need to use the array at least once */ char dummy[DUMMY_SIZE]; memset(dummy, 0, DUMMY_SIZE); // This line has a format string vulnerability printf(msg); printf("The value of the ’target’ variable (after): 0x%.8x\n", target); }
时间: 2024-04-29 08:19:19 浏览: 153
这段代码存在一个格式化字符串漏洞,容易受到攻击者的利用。攻击者可以通过特殊的格式化字符串来读取或写入内存中的任意位置。具体来说,攻击者可以在传递给myprintf()函数的字符串中添加%c或%s等特殊字符,来读取内存中的任意位置。攻击者也可以使用%hn或%n等格式化字符串,来将值写入内存中的任意位置。例如,攻击者可以使用以下格式化字符串来将0x11223344写入target变量的地址0x0804a028处:
./vulnerable $(python -c "print('\x28\xa0\x04\x08' + '%4c%hn'*2)")
相关问题
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/can.h> #include <linux/can/raw.h> #define CAN_INTERFACE "can0" // CAN接口名称 #define CAN_ID 0x123 // CAN ID int main(void) { int s; // socket描述符 struct sockaddr_can addr; struct ifreq ifr; struct can_frame frame; int nbytes; // 创建socket s = socket(PF_CAN, SOCK_RAW, CAN_RAW); if(s < 0) { perror("socket PF_CAN failed"); return 1; } // 设置CAN接口 strcpy(ifr.ifr_name, CAN_INTERFACE); ioctl(s, SIOCGIFINDEX, &ifr); addr.can_family = PF_CAN; addr.can_ifindex = ifr.ifr_ifindex; bind(s, (struct sockaddr *)&addr, sizeof(addr)); // 发送CAN数据 frame.can_id = CAN_ID; frame.can_dlc = 2; frame.data[0] = 0x01; frame.data[1] = 0x02; nbytes = write(s, &frame, sizeof(struct can_frame)); if(nbytes != sizeof(struct can_frame)) { perror("write failed"); close(s); return 1; } // 接收CAN数据 nbytes = read(s, &frame, sizeof(struct can_frame)); if(nbytes < 0) { perror("read failed"); close(s); return 1; } printf("can_id = 0x%X, can_dlc = %d, data = %02X %02X\n", frame.can_id, frame.can_dlc, frame.data[0], frame.data[1]); close(s); return 0; }这个代码gcc编译不过,重新写一下呢?
这段代码的问题在于缺少头文件的引用,需要添加以下头文件:
```c
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
```
另外,建议在使用 ioctl 函数时加上错误处理,修改后的代码如下:
```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <linux/can.h>
#include <linux/can/raw.h>
#define CAN_INTERFACE "can0" // CAN接口名称
#define CAN_ID 0x123 // CAN ID
int main(void) {
int s; // socket描述符
struct sockaddr_can addr;
struct ifreq ifr;
struct can_frame frame;
int nbytes;
// 创建socket
s = socket(PF_CAN, SOCK_RAW, CAN_RAW);
if(s < 0) {
perror("socket PF_CAN failed");
return 1;
}
// 设置CAN接口
strcpy(ifr.ifr_name, CAN_INTERFACE);
if(ioctl(s, SIOCGIFINDEX, &ifr) < 0) {
perror("ioctl failed");
close(s);
return 1;
}
addr.can_family = PF_CAN;
addr.can_ifindex = ifr.ifr_ifindex;
if(bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
perror("bind failed");
close(s);
return 1;
}
// 发送CAN数据
frame.can_id = CAN_ID;
frame.can_dlc = 2;
frame.data[0] = 0x01;
frame.data[1] = 0x02;
nbytes = write(s, &frame, sizeof(struct can_frame));
if(nbytes != sizeof(struct can_frame)) {
perror("write failed");
close(s);
return 1;
}
// 接收CAN数据
nbytes = read(s, &frame, sizeof(struct can_frame));
if(nbytes < 0) {
perror("read failed");
close(s);
return 1;
}
printf("can_id = 0x%X, can_dlc = %d, data = %02X %02X\n",
frame.can_id, frame.can_dlc, frame.data[0], frame.data[1]);
close(s);
return 0;
}
```
解释代码#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #define PORT 9090 /* Changing this size will change the layout of the stack. * We have added 2 dummy arrays: in main() and myprintf(). * Instructors can change this value each year, so students * won't be able to use the solutions from the past. * Suggested value: between 0 and 300 */ #ifndef DUMMY_SIZE #define DUMMY_SIZE 100 #endif char *secret = "A secret message\n"; unsigned int target = 0x11223344; void myprintf(char *msg) { uintptr_t framep; // Copy the ebp value into framep, and print it out asm("movl %%ebp, %0" : "=r"(framep)); printf("The ebp value inside myprintf() is: 0x%.8x\n", framep); /* Change the size of the dummy array to randomize the parameters for this lab. Need to use the array at least once */ char dummy[DUMMY_SIZE]; memset(dummy, 0, DUMMY_SIZE); // This line has a format-string vulnerability printf(msg); printf("The value of the 'target' variable (after): 0x%.8x\n", target); } /* This function provides some helpful information. It is meant to * simplify the lab tasks. In practice, attackers need to figure * out the information by themselves. */ void helper() { printf("The address of the secret: 0x%.8x\n", (unsigned) secret); printf("The address of the 'target' variable: 0x%.8x\n", (unsigned) &target); printf("The value of the 'target' variable (before): 0x%.8x\n", target); }
这段代码定义了两个全局变量:指向字符串的指针 `secret` 和一个无符号整数 `target`。同时定义了一个名为 `myprintf` 的函数,该函数接受一个指向字符的指针,并将其作为格式化字符串打印到标准输出中。该函数中还使用了一个名为 `dummy` 的数组,在函数内部没有实际用途,只是为了随机化函数参数。在函数中还打印了 `ebp` 的值,以便在后面的漏洞利用中定位栈帧。同时,该代码还定义了一个名为 `helper` 的函数,用于打印一些有用的信息,便于后续的漏洞利用。
阅读全文