int __cdecl main(int argc, const char **argv, const char **envp) { int t_num_count; // eax int *num_stack; // edi unsigned int input_count; // esi unsigned int output_ptr; // esi int v7; // ST08_4 int result; // eax unsigned int num_count; // [esp+18h] [ebp-74h] int v10; // [esp+1Ch] [ebp-70h] char buf; // [esp+3Ch] [ebp-50h] unsigned int v12; // [esp+7Ch] [ebp-10h]
v12 = __readgsdword(0x14u); sub_8B5(); __printf_chk(1, "What your name :"); read(0, &buf, 0x40u); __printf_chk(1, "Hello %s,How many numbers do you what to sort :");// 栈空间未初始化为0,printf时\x00截断,导致栈空间信息泄露 __isoc99_scanf("%u", &num_count); t_num_count = num_count; if ( num_count ) { num_stack = &v10; input_count = 0; do { __printf_chk(1, "Enter the %d number : "); fflush(stdout); __isoc99_scanf("%u", num_stack); ++input_count; t_num_count = num_count; ++num_stack; } while ( num_count > input_count ); } // ebp-0x70读入num_count个数,栈溢出 sub_931((unsigned int *)&v10, t_num_count); // 冒泡,升序 puts("Result :"); if ( num_count ) { output_ptr = 0; do { v7 = *(&v10 + output_ptr); __printf_chk(1, "%u "); // canary最低位为00,这里偏移24覆盖为\x00可以leak canary ++output_ptr; } while ( num_count > output_ptr ); } result = 0; if ( __readgsdword(0x14u) != v12 ) sub_BA0(); return result; }