2024-04-07 02:33:04 +00:00
# 整数溢出
2024-07-18 17:33:27 +00:00
{% hint style="success" %}
学习并练习 AWS 黑客技术:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习并练习 GCP 黑客技术:< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks 培训 GCP 红队专家 (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
< details >
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
< summary > 支持 HackTricks< / summary >
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
* 查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或 **关注**我们的 **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* 通过向 [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享黑客技巧。
2024-04-07 02:33:04 +00:00
< / details >
2024-07-18 17:33:27 +00:00
{% endhint %}
2024-04-07 02:33:04 +00:00
## 基本信息
2024-07-18 17:33:27 +00:00
在**整数溢出**的核心是计算机编程中数据类型的**大小**限制和数据的**解释**。
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
例如,一个**8位无符号整数**可以表示从**0到255**的值。如果尝试将值256存储在8位无符号整数中, , , ,
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
此外,一个**8位有符号整数**可以表示从**-128到127**的值。这是因为一个比特用于表示符号( ) , `10000000` ),最正数为**127**(二进制 `01111111` )。
2024-04-07 02:33:04 +00:00
### 最大值
2024-04-10 15:34:01 +00:00
对于潜在的**网络漏洞**,了解最大支持的值非常有趣:
2024-04-07 02:33:04 +00:00
{% tabs %}
{% tab title="Rust" %}
```rust
fn main() {
let mut quantity = 2147483647;
let (mul_result, _) = i32::overflowing_mul(32767, quantity);
let (add_result, _) = i32::overflowing_add(1, quantity);
println!("{}", mul_result);
println!("{}", add_result);
}
```
{% endtab %}
{% tab title="C" %}
2024-07-18 17:33:27 +00:00
整数溢出是一种常见的安全漏洞,发生在对整数进行算术运算时,结果超出了该整数类型所能表示的范围。这可能导致未预期的行为,如数据损坏、程序崩溃或甚至远程代码执行。在 C 语言中,整数溢出是一种常见的问题,因为 C 不会自动检查整数运算是否会导致溢出。为了防止整数溢出,开发人员应该谨慎设计他们的代码,确保在进行整数运算时考虑到可能的溢出情况。
{% endtab %}
2024-04-07 02:33:04 +00:00
```c
#include <stdio.h>
#include <limits.h>
int main() {
int a = INT_MAX;
int b = 0;
int c = 0;
b = a * 100;
c = a + 1;
printf("%d\n", INT_MAX);
printf("%d\n", b);
printf("%d\n", c);
return 0;
}
```
## 例子
### 纯溢出
2024-04-10 15:34:01 +00:00
打印结果将为0, :
2024-04-07 02:33:04 +00:00
```c
#include <stdio.h>
int main() {
unsigned char max = 255; // 8-bit unsigned integer
unsigned char result = max + 1;
printf("Result: %d\n", result); // Expected to overflow
return 0;
}
```
### 有符号转无符号转换
考虑这样一种情况:从用户输入中读取一个有符号整数,然后在一个将其视为无符号整数的上下文中使用,但没有进行适当的验证:
```c
#include <stdio.h>
int main() {
int userInput; // Signed integer
printf("Enter a number: ");
scanf("%d", &userInput);
// Treating the signed input as unsigned without validation
unsigned int processedInput = (unsigned int)userInput;
// A condition that might not work as intended if userInput is negative
if (processedInput > 1000) {
printf("Processed Input is large: %u\n", processedInput);
} else {
printf("Processed Input is within range: %u\n", processedInput);
}
return 0;
}
```
在这个例子中,如果用户输入一个负数,由于二进制值的解释方式,它将被解释为一个大的无符号整数,可能导致意外行为。
### 其他示例
* [https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html ](https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html )
2024-04-10 15:34:01 +00:00
* 只使用1B来存储密码的大小, , , ,
2024-04-07 02:33:04 +00:00
* [https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html ](https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html )
2024-04-10 15:34:01 +00:00
* 给定一对数字, , :  
2024-04-07 02:33:04 +00:00
```
(((argv[1] * 0x1064deadbeef4601) & 0xffffffffffffffff) == 0xD1038D2E07B42569)
```
2024-04-10 15:34:01 +00:00
* [https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/ ](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/ )
2024-07-18 17:33:27 +00:00
* 只使用1B来存储密码的大小, , , , ,
2024-04-07 02:33:04 +00:00
2024-04-10 15:34:01 +00:00
## ARM64
2024-07-18 17:33:27 +00:00
这在ARM64中**没有改变**,如您可以在[**这篇博客文章**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/)中看到的。
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
{% hint style="success" %}
学习并练习AWS Hacking: < img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习并练习GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
< details >
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
< summary > 支持 HackTricks< / summary >
2024-04-07 02:33:04 +00:00
2024-07-18 17:33:27 +00:00
* 查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或 **关注**我们的 **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库提交 PR 来分享黑客技巧。
2024-04-07 02:33:04 +00:00
< / details >
2024-07-18 17:33:27 +00:00
{% endhint %}
