首页 > 代码库 > 常见软件安全漏洞样例代码

常见软件安全漏洞样例代码

2024-08-07 12:23:46   213人阅读

缓冲区溢出:

 1 Example1.1 2         ... 3     char buf[BUFSIZE];  4     gets(buf);//user control 5     ... 6  7 Example1.2(c++): 8     ... 9     char buf[BUFSIZE]; 10     cin >> (buf);//user control11     ...12 13 Example2:14     ...15     char buf[64], in[MAX_SIZE];16     printf("Enter buffer contents:\n");17     read(0, in, MAX_SIZE-1);18     printf("Bytes to copy:\n");19     scanf("%d", &bytes);//user control20     memcpy(buf, in, bytes);21     ...22     char *lccopy(const char *str) {23         char buf[BUFSIZE];24         char *p;25     26         strcpy(buf, str);27         for (p = buf; *p; p++) {28              if (isupper(*p)) {29                 *p = tolower(*p);30             }31         }    32         return strdup(buf);33     }34 35 Example4:36     if (!(png_ptr->mode & PNG_HAVE_PLTE)) {37         /* Should be an error, but we can cope with it */38         png_warning(png_ptr, "Missing PLTE before tRNS");39     }40     else if (length > (png_uint_32)png_ptr->num_palette) {41         png_warning(png_ptr, "Incorrect tRNS chunk length");42         png_crc_finish(png_ptr, length);43         return;44     }45     ...46     png_crc_read(png_ptr, readbuf, (png_size_t)length);47 48 Example5:49     void getUserInfo(char *username, struct _USER_INFO_2 info){50         WCHAR unicodeUser[UNLEN+1];51         MultiByteToWideChar(CP_ACP, 0, username, -1,52                             unicodeUser, sizeof(unicodeUser));53     NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);54     }

格式化字符串:

 1 Example1: 2     int main(int argc, char **argv){ 3         char buf[128]; 4         ... 5         snprintf(buf,128,argv[1]); 6     } 7  8 Example2: 9 printf("%d %d %1$d %1$d\n", 5, 9);10 11 Example3:12     ...13     syslog(LOG_ERR, cmdBuf);14     ...15 16 Example4:17 #include <stdio.h>18 19 void printWrapper(char *string) {   20   printf(string);21 }22 23 int main(int argc, char **argv) {   24   char buf[5012];    25   memcpy(buf, argv[1], 5012);    26   printWrapper(argv[1]);    27   return (0);28 }

整数溢出:

Example1:short int bytesRec = 0;char buf[SOMEBIGNUM];while(bytesRec < MAXGET) {  bytesRec += getFromInput(buf+bytesRec);}Example2:    nresp = packet_get_int();    if (nresp > 0) {     response = xmalloc(nresp*sizeof(char*));     for (i = 0; i < nresp; i++)      response[i] = packet_get_string(NULL);    }Example3:     char* processNext(char* strm) {     char buf[512];     short len = *(short*) strm;     strm += sizeof(len);     if (len <= 512) {      memcpy(buf, strm, len);      process(buf);      return strm + len;     } else {      return -1;     }    }Example4:rezos@bezel ~/labs/integer $ cat add.c#include <stdio.h>#include <limits.h>int main(void){ int a;//  a=2147483647; a=INT_MAX; printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1); return 0;}rezos@bezel ~/labs/integer $ ./addint a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)Example5:rezos@bezel ~/labs/integer $ cat multiplication.c#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>int main(int argc, char **argv){ int i, j, z=0x00000001; char *tab; if(argc<2) _exit(1); i=atoi(argv[1]); if(i>0) {   tab = malloc(i * sizeof(char *));   if(tab == NULL) _exit(2); } for(j=0; j<i; j++)   tab[j]=z++; for(j=0; j<i; j++)   printf("tab[j]=0x%x\n", tab[j]); return 0;}rezos@bezel ~/labs/integer $ ./multiplication 1073741824Segmentation fault

 

常见软件安全漏洞样例代码


联系
我们