hacktricks/binary-exploitation/integer-overflow.md

# Kuzidi Kwa Nambari

{% hint style="success" %}
Jifunze & zoezi AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Timu Nyekundu Mtaalam (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & zoezi GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Timu Nyekundu Mtaalam (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa michango**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Taarifa Msingi

Katikati ya **kuzidi kwa nambari** kuna kikwazo kilichowekwa na **ukubwa** wa aina za data katika programu ya kompyuta na **utafsiri** wa data.

Kwa mfano, **nambari isiyo na saini ya biti 8** inaweza kuwakilisha thamani kutoka **0 hadi 255**. Ikiwa unajaribu kuhifadhi thamani 256 katika nambari isiyo na saini ya biti 8, itazunguka hadi 0 kutokana na kikwazo cha uwezo wake wa kuhifadhi. Vivyo hivyo, kwa **nambari isiyo na saini ya biti 16**, ambayo inaweza kuhifadhi thamani kutoka **0 hadi 65,535**, kuongeza 1 hadi 65,535 kutazungusha thamani kurudi 0.

Zaidi ya hayo, **nambari iliyo na saini ya biti 8** inaweza kuwakilisha thamani kutoka **-128 hadi 127**. Hii ni kwa sababu biti moja hutumiwa kuwakilisha ishara (chanya au hasi), ikisalia biti 7 kuwakilisha ukubwa. Nambari hasi zaidi inawakilishwa kama **-128** (binary `10000000`), na nambari chanya zaidi ni **127** (binary `01111111`).

### Thamani Kubwa

Kwa **mambo ya uwezekano wa hatari za wavuti** ni muhimu sana kujua thamani kubwa zinazoungwa mkono:

{% tabs %}
{% tab title="Rust" %}
```rust
fn main() {

let mut quantity = 2147483647;

let (mul_result, _) = i32::overflowing_mul(32767, quantity);
let (add_result, _) = i32::overflowing_add(1, quantity);

println!("{}", mul_result);
println!("{}", add_result);
}
```
{% endtab %}

{% tab title="Swahili" %}
### Kuzidisha Kima cha Nambari za Inti (Integer Overflow)

Kuzidisha kima cha nambari za inti ni mbinu inayotumika katika udukuzi wa programu ambapo mshambuliaji anajaribu kuzidisha kima cha nambari ya inti ili kusababisha hitilafu au kufikia sehemu fulani ya kumbukumbu. Hii inaweza kusababisha matokeo yasiyotarajiwa kama vile kubadilisha thamani ya nambari ya inti au hata kusababisha programu kushindwa kufanya kazi ipasavyo. Mbinu hii inaweza kutumiwa kwa faida ya mshambuliaji kuchukua udhibiti wa programu au mfumo unaolengwa. Kwa hiyo, ni muhimu kwa watengenezaji wa programu kuhakikisha wanachukua hatua za usalama dhidi ya kuzidisha kima cha nambari za inti. 
{% endtab %}
```c
#include <stdio.h>
#include <limits.h>

int main() {
int a = INT_MAX;
int b = 0;
int c = 0;

b = a * 100;
c = a + 1;

printf("%d\n", INT_MAX);
printf("%d\n", b);
printf("%d\n", c);
return 0;
}
```
## Mifano

### Kujaa kwa kiasi kikubwa

Matokeo yaliyochapishwa yatakuwa 0 kwa sababu tulijaza kwa kiasi kikubwa char:
```c
#include <stdio.h>

int main() {
unsigned char max = 255; // 8-bit unsigned integer
unsigned char result = max + 1;
printf("Result: %d\n", result); // Expected to overflow
return 0;
}
```
### Kubadilisha Kutoka Nambari Iliyosainiwa Kwenda Nambari Isiyosainiwa

Zingatia hali ambapo nambari iliyosainiwa inasomwa kutoka kwa mwingiliano wa mtumiaji na kisha kutumika katika muktadha ambao unaitumia kama nambari isiyosainiwa, bila ukaguzi sahihi:
```c
#include <stdio.h>

int main() {
int userInput; // Signed integer
printf("Enter a number: ");
scanf("%d", &userInput);

// Treating the signed input as unsigned without validation
unsigned int processedInput = (unsigned int)userInput;

// A condition that might not work as intended if userInput is negative
if (processedInput > 1000) {
printf("Processed Input is large: %u\n", processedInput);
} else {
printf("Processed Input is within range: %u\n", processedInput);
}

return 0;
}
```
Katika mfano huu, ikiwa mtumiaji anaingiza nambari hasi, itachukuliwa kama nambari kubwa isiyosainiwa kutokana na jinsi thamani za binary zinavyochukuliwa, hivyo kusababisha tabia isiyotarajiwa.

### Mifano Mingine

* [https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html](https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html)
* Inatumika 1B tu kuhifadhi ukubwa wa nenosiri hivyo inawezekana kufanya kuzidi na kufanya iweze kufikiria kuwa urefu wake ni 4 wakati ukweli ni 260 ili kuepuka ulinzi wa ukaguzi wa urefu
* [https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html](https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html)
* Kwa kupewa jozi ya nambari, tafuta kutumia z3 nambari mpya ambayo ikiongezwa na ya kwanza itatoa ya pili:&#x20;

```
(((argv[1] * 0x1064deadbeef4601) & 0xffffffffffffffff) == 0xD1038D2E07B42569)
```
* [https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/)
* Inatumika 1B tu kuhifadhi ukubwa wa nenosiri hivyo inawezekana kufanya kuzidi na kufanya iweze kufikiria kuwa urefu wake ni 4 wakati ukweli ni 260 ili kuepuka ulinzi wa ukaguzi wa urefu na kuandika upya kwenye stack kipengele cha ndani kinachofuata na kuepuka ulinzi wote wawili

## ARM64

Hii **haibadiliki katika ARM64** kama unavyoweza kuona katika [**chapisho hili la blogi**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/).