C # creating buffer overflows

Question

C # creating buffer overflows

I am trying to create a buffer overflow with C # for a school project:

unsafe { fixed (char* ptr_str = new char[6] {'H', 'a', 'l', 'l', 'o', ','}) { fixed (char* ptr_str2 = new char[6] {'W', 'e', 'r', 'e', 'l', 'd'}) { fixed (char* ptr_str3 = new char[6] {'!', '!', '!', '!', '!', '!'}) { for (int i = 0; i < 8; i++) { ptr_str2[i] = 'a'; } for (int i = 0; i < 6; i++) { this.Label2.Text += ptr_str[i]; this.Label3.Text += ptr_str2[i]; this.Label4.Text += ptr_str3[i]; } } } } }

I thought it was a flood of ptr_str2 and thus rewriting the characters in ptr_str . However, this does not happen. It is executed, but the values in ptr_str not overwritten.

Can anyone help to achieve this? I do not understand what I am doing wrong.

+7

c # overflow unsafe buffer

Bigchief Feb 05 '11 at 12:25

source share

4 answers

Stack overflow is a call stack overflow. This is made much simpler:

 int Test () { return Test (); } Console.WriteLine (Test ());

If you meant buffer overflow , there is a similar question .

+6

Dan abramov Feb 05 '11 at 12:30

source share

A traditional attack that uses buffer overflows overflows the stack buffer; you overflow the heap buffer. It is much easier to see an entry in one buffer splitting another buffer when they are both on the stack. Try using stackalloc instead of the new char to force the allocation to the stack.

+6

Eric Lippert Feb 05 '11 at 15:43

source share

It seems you are not doing stackoverflow here - you are not using the stack at all. Instead, you are trying to create a buffer overflow, I believe that unsafe C # is similar to C, which seems like a few important differences.

Overflow stackoverflow can be done simply:

 public void Stackoverflow() { Stackoverflow(); }

and then calling Stackoverflow() somewhere.

0

Callum rogers Feb 05 '11 at 12:32

source share

Hans passant · Accepted Answer · 2011-02-05T13:25:10+0000

You are missing the fact that arrays themselves are objects. They have an object header, like any type of managed link, and a private field that stores the size of the array. Before you begin to overwrite array elements, you must overwrite them. On a 32-bit machine, you will begin to overwrite the first ptr_str2 element as follows:

  for (int i = 0; i < 13; i++) { ptr_str[i] = 'a'; }

Of course it should have been 13.

Notice this by setting a breakpoint in the for loop. Debugging + Windows + Memory + Memory 1, enter "ptr_str" in the "Address" field. A code step to see how memory has changed. After that, you will see ptr_str2, 4 bytes for syncblk, 4 bytes for the pointer to the method table and 4 bytes for the length of the array. Only 12 bytes, 6 characters.

C # creating buffer overflows

More articles: