[英]Simple Buffer Overflow Exploit
I am trying to write a very simple program that highlights how a buffer overflow exploit can be used to bypass a password protected system. 我正在尝试编写一个非常简单的程序,重点介绍如何使用缓冲区溢出漏洞绕过受密码保护的系统。 The code is given below:
代码如下:
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
char tempbuff[15];
int pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
Essentially, I am trying to alter the value of the pass variable from 0 to 1 by inputting a string that is greater than 15 characters when asked to input my password the second time around. 本质上,当第二次被要求输入密码时,我试图通过输入大于15个字符的字符串来将pass变量的值从0更改为1。 However, I haven't been able to do so as of yet.
但是,到目前为止,我还无法做到这一点。 Any help will be very appreciated!
任何帮助将不胜感激!
I was able to exploit your program in OS X with one change to your code. 我对代码进行了一次更改,就可以在OS X中利用您的程序。 That was to define
pass
before tempbuff
. 那是在
tempbuff
之前定义pass
。 Declaring pass
before tempbuff
means that pass
is placed after tempbuff
on the stack and therefore overflowing tempbuff
will overwrite pass
. 在
tempbuff
之前声明pass
意味着将pass
放在tempbuff
之后的堆栈上,因此溢出的tempbuff
将覆盖pass
。 I was able to check the addresses of pass
and tempbuff
in lldb
(or gdb
). 我能够检查
lldb
(或gdb
)中pass
和tempbuff
的地址。
I also compiled it with the -fno-stack-protector
option. 我还使用
-fno-stack-protector
选项对其进行了编译。
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
int pass = 0;
char tempbuff[15];
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
printf("\n Enter your password : \n");
gets(tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
printf ("\n Root privileges given to the user \n");
return 0;
}
Compiled with: gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf
编译:
gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf
Here is the input sequence: 这是输入序列:
safepassword
1234567890123456
Here is the output: 这是输出:
$ ./buf < over
Enter a password of length between 1 and 15 characters :
warning: this program uses gets(), which is unsafe.
Enter your password :
Wrong Password
Root privileges given to the user
There is no guarantee on the order in which the memory will be allocated for the local variables, and there is no guarantee that they will be in consecutive locations. 不能保证为局部变量分配内存的顺序,也不能保证它们将位于连续的位置。 The following modified code should work in most systems.
以下修改的代码应在大多数系统中都可以使用。 It uses the fact that structure elements are allocated consecutive memory locations (also note that the array sizes have been changed to avoid padding.)
它利用为结构元素分配连续的内存位置这一事实(还请注意,已更改了数组大小以避免填充。)
#include <stdio.h>
#include <string.h>
struct app {
char buff[16];
char tempbuff[16];
int pass;
};
int main(void)
{
struct app app;
app.pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(app.buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(app.tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(app.tempbuff, app.buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
app.pass = 1;
}
if(app.pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.