在这篇文章中,Core Security将展示c语言程序中程序员常犯的一些错误。通过gera举的5个例子来说明format string(格式化字符串)这类型的问题。我们将确切指出程序中的bug,并将阐述这种错误为什么是危险的,并针对每一个例子都将有一个exploit。在这篇文章中,测试的平台是 Linux Slackware 8.0 server(IA32),编译器是 GNU GCC 2.95.3:
user@CoreLabs:~$ uname -a Linux CoreLabs 2.4.5 #31 SMP Sat Mar 2 03:04:23 EET 2002 i586 unknown
user@CoreLabs:~$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/2.95.3/specs gcc version 2.95.3 20010315 (release)
user@CoreLabs:~$ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 5 model : 2 model name : Pentium 75 - 200
n The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
h A following integer conversion corresponds to a short int or unsigned short int argument, or a following n conversion corresponds to a pointer to a short int argument. (译者注:%n在格式化中的意思是将显示内容的长度输出到一个变量中去。%h的意思 是把后面对应的内容转换为short int型)
精品推荐