如何“破解”缓冲区溢出攻击
[英]How to 'hack' with buffer overflow attack
问题描述
#include <stdio.h>
char user_name[20] = " ";
char password[20] = " ";
char users[][2][20] =
{ { "root", "98765" },
{ "me", "hello" },
{ "abc", "password" },
{ "", "" }
};
int check_name()
{
int i;
gets(user_name);
gets(password);
for(i=0; users[i][0][0] != 0; i++)
{
if(strcmp(user_name, users[i][0]) == 0 &&
strcmp(password, users[i][1]) == 0)
return 1;
}
return 0;
}
void logon()
{
printf("Welcome! \n");
exit(1);
}
void reject()
{
printf("Connection closed !\n");
printf("Real username: \n");
printf(users[0][0]);
printf("\n");
printf("Real password: \n");
printf(users[0][1]);
printf("\n");
exit(0);
}
main()
{
if(check_name())
logon();
else
reject();
}
Hey guys, I kind of understand the theory behind buffer overflow, but I can't seem to make it work here.
嘿伙计们,我有点理解缓冲区溢出背后的理论,但我似乎无法让它在这里工作。
Note that I added extra printf to output real username and password to see how much I overwrote in memory.请注意,我将额外的printf添加到 output 真实用户名和密码,以查看我在 memory 中覆盖了多少。
I tried writing a random letter x .我尝试写一个随机字母x 。
First I did: username = 20 x s, password = 60 x s, the output was:首先我做了:用户名 = 20 x s,密码 = 60 x s,output 是:
Real user:
xxxxxxxxxxxxxxxxxxxxxxxxxxxx // 28 x's
Real pass:
xxxxxxxx // 8 x's
So I added 12 x s to the password to make it the maximal size of 20, so password = 72 x s and the output was:所以我在密码中添加了 12 x s 以使其最大大小为 20,因此密码 = 72 x s 并且 output 为:
// with input user = 20 x's and pass = 72 x's
Real user:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx // 40
Real pass:
xxxxxxxxxxxxxxxxxxxx // 20
Ultimately I thought by updating my input username to 40 x s it would work, but it didn't.最终我认为通过将我的输入用户名更新为 40 x s 它会起作用,但它没有。 Output was identical as the last one (40 x's for real user and 20 x's for real password) but still couldn't "hack" it. Output 与上一个相同(真实用户为 40 x,真实密码为 20 x),但仍然无法“破解”它。
I'm not sure what to do at this point.我不确定此时该做什么。 Thanks in advance!提前致谢!
1 个解决方案
解决方案1
0 2020-11-13 22:25:11
You have to understand what constitutes a string in C. Something like printf will continue to print bytes out of a string until it hits a NULL character.您必须了解什么构成了 C 中的字符串。像printf这样的东西将继续从字符串中打印字节,直到它遇到NULL字符。 Embedding a string in a program the way you did ( foo="barbaz" ) automatically includes a null character.按照您的方式在程序中嵌入字符串 ( foo="barbaz" ) 会自动包含一个 null 字符。
A buffer overflow error happens when a program reads a string into a fixed length buffer, but the input is larger than the buffer.当程序将字符串读入固定长度的缓冲区,但输入大于缓冲区时,就会发生缓冲区溢出错误。 For instance, if I have char username[8] , but the user inputs supercalifragilisticexpalidocious .例如,如果我有char username[8] ,但用户输入supercalifragilisticexpalidocious 。
Obviously, the input is larger than the buffer, and if the program allows all the input in, it will continue to overwrite whatever in memory is beyond the username.显然,输入大于缓冲区,如果程序允许所有输入,它将继续覆盖 memory 中超出用户名的内容。
In this situation, a clever enough hacker can overwrite the memory in a way that would provide her with access to parts of the program or data she wouldn't normally have access to.在这种情况下,足够聪明的黑客可以通过某种方式覆盖 memory,使她能够访问她通常无法访问的部分程序或数据。
So, to answer your question, because of how you constructed the program using strings completely defined within the compiled part of the code, you cannot have a buffer overflow error.因此,要回答您的问题,由于您是如何使用在代码的编译部分中完全定义的字符串构建程序的,因此您不会出现缓冲区溢出错误。
Try accepting unbounded user input, and then putting more data in than the buffer can accept, to see what happens to the resulting memory blocks.尝试接受无限的用户输入,然后放入比缓冲区可以接受的更多的数据,看看结果 memory 块会发生什么。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.