此C代码中的漏洞是什么?
[英]What is the vulnerability in this C code?
问题描述
I'm trying to understand buffer overflow attacks better, this is one of the exercises that came up, that has a buffer overflow vulnerability. 
我试图更好地理解缓冲区溢出攻击,这是出现的练习之一,它具有缓冲区溢出漏洞。 I would like to know how one can exploit the vulnerability in this code. 我想知道如何利用此代码中的漏洞。 I wasn't sure how to search for it. 我不确定如何搜索。
int
main(int argc, char **argv)
{
(void) foo(argv[1]);
exit(0);
}
int
foo(char *arg)
{
return bar(arg);
}
int
bar(char *arg)
{
char lbuf[1024];
if (strlen(arg) >= 1024)
return -1;
memset(lbuf, 0, sizeof(lbuf));
sprintf(lbuf, "%s", "Welcome: ");
read(0, lbuf + strlen(lbuf), sizeof(lbuf) - strlen(lbuf) - 1);
printf(lbuf);
fflush(stdout);
return 0;
}
2 个解决方案
解决方案1
3 已采纳 2019-01-05 20:21:17
There is no buffer-overflow there, at all. 那里根本没有缓冲区溢出。 But that doesn't mean it's secure. 但这并不意味着它是安全的。
The problem you are expected to find is this line: 您应该找到的问题是此行:
printf(lbuf);
Whenever you provide a format-string, make sure it is safely under your control and only asks for those arguments you provided. 每当您提供格式字符串时,请确保将其安全地控制在您的控制之下,并且仅询问您提供的那些参数。 Accessing arguments not provided, or of the wrong type, results in undefined behavior (all kinds of bizarre and potentially dangerous things can happen). 访问未提供的参数或类型错误的参数会导致未定义的行为(可能会发生各种奇怪且潜在危险的事情)。 Additionally, one can use %n to poke some memory, which is more obviously dangerous. 另外,可以使用%n戳一些内存,这显然很危险。
In this case, lbuf contains Welcome: followed by arbitrary insecure user-input. 在这种情况下, lbuf包含Welcome:其后是任意不安全的用户输入。
In addition, the program unconditionally reads argv[1] (assumption argc > 0 ), and further assumes it points to a string (assumption argc > 1 ) when passing it to strlen() . 另外,该程序无条件地读取argv[1] (假设argc > 0 ),并进一步假定将其传递给strlen()时,它指向一个字符串(假设argc > 1 strlen() 。
解决方案2
-1 2019-01-05 19:56:38
Your code is just an UB without any possible hacks (if we consider only the buffer overflow and will analyze any other possible ones). 您的代码只是一个UB,没有任何可能的破解(如果我们仅考虑缓冲区溢出并将分析任何其他可能的破解)。
Buffer overflow to be used a attacking technique must overwrite some data used later in the program. 要使用的缓冲区溢出攻击技术必须覆盖程序稍后使用的某些数据。 It may be changing the variables, or placing some code (less common but possible) 可能是更改变量,或放置了一些代码(较不常见但可能)
an example: 一个例子:
#include <stdio.h>
#include <string.h>
int CheckPassword(void)
{
char passwd[5];
int passwordcorect = 0;
printf("Enter password:");
gets(passwd);
if(!strcmp(passwd, "1234"))
{
passwordcorect = 1;
}
return passwordcorect;
}
int main()
{
if(CheckPassword())
{
printf("\nSpecial priviledges granted!!\n");
}
else
{
printf("\nWrong!!\n");
}
return 0;
}
Compiled with mingw. 与mingw一起编译。
And the result: 结果:
Why did it happen? 为什么会发生? Because the buffer has overwritten the passwordcorrect variable. 因为缓冲区已覆盖passwordcorrect变量。 It is system, implementation etc related but hacking is not something abstract or portable :) 它与系统,实现等相关,但黑客行为不是抽象的或可移植的:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.