緩衝區溢出攻擊實驗，意想不到的結果

Question

我做的UB的特殊情況下的分析，瞭解通過緩衝區溢出攻擊的安全漏洞的目的。

我聽不太懂的實驗結果故意室內用UB proked。我相信一個緩衝區溢出（位於另一個緩衝區和我的檢測器變量之間）會覆蓋另一個緩衝區和檢測器。

簡而言之：有什麼能爲變量 '值' 的值49的原因後

strcpy(buffer_two, argv[1]); 

在此代碼：

#include <stdio.h> 
#include <string.h> 

int main(int argc, char *argv[]){ 
    int value = 5; 
    char buffer_one[8]; 
    char buffer_two[8]; 
    strcpy(buffer_one, "one"); 
    strcpy(buffer_two, "two"); 

    printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); 
    printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); 
    printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); 

    printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1])); 
    strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */ 

    printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); 
    printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); 
    printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); 
} 

---

結果：

./overflow_example AAAAAAAAAAAAAAAA1 
[BEFORE] buffer_two is at 0xbff2db0c and contains 'two' 
[BEFORE] buffer_one is at 0xbff2db14 and contains 'one' 
[BEFORE] value is at 0xbff2db1c and is 5 (0x00000005) 

[STRCPY copying 17 bytes into buffer_two 

[AFTER] buffer_two is at 0xbff2db0c and contains 'AAAAAAAAAAAAAAAA1' 
[AFTER] buffer_one is at 0xbff2db14 and contains 'AAAAAAAA1' 
[AFTER] value is at 0xbff2db1c and is 49 (0x00000031) 

內存的堆棧上去。這意味着我們重寫buffer_one的值。但我不知道爲什麼「價值」的價值是影響

Answer 1

在你的攻擊實驗中，你似乎已經失去了跟蹤緩衝器和可變的順序。
你的輸出（與代碼中的變量聲明一起）清楚地示出：

• buffer_two，大小爲8，地址0X ... 0℃
• buffer_one，大小爲8，地址0X ... 14
• 值，大小爲4，地址爲0x ... 1C

（值的大小是猜測，但不相關的，假設它有LSB的最低字節地址。）

當buffer_two溢出由9個字節，這將完全填充buffer_one，與的值爲「1」 == 49和第二字節的值第一字節爲0。

要重複，所有的即，嚴格地說，UB和爲此野生猜測。但這是正常的利用環境，你可能已經意識到了這一點。