简单的缓冲区溢出漏洞 [英] Simple Buffer Overflow Exploit

问题描述

我试图写一个非常简单的程序，突出了一个缓冲区溢出漏洞如何可以用于绕过密码保护系统。该code为如下：

I am trying to write a very simple program that highlights how a buffer overflow exploit can be used to bypass a password protected system. The code is given below:

#include <stdio.h>
#include <string.h>

int main(void)
{
    char buff[15];
    char tempbuff[15];
    int pass = 0;

    printf("\n Enter a password of length between 1 and 15 characters : \n");
    gets(buff);
    //strcpy("%s",buff);

    printf("\n Enter your password : \n");
    gets(tempbuff);
    //strcpy("%s",tempbuff);

    if(strcmp(tempbuff, buff))
    {
        printf ("\n Wrong Password \n");

    }
    else
    {
        printf ("\n Correct Password \n");
        pass = 1;
    }

    if(pass)
    {
       /* Now Give root or admin rights to user*/
        printf ("\n Root privileges given to the user \n");
    }

    return 0;
}

基本上，我试图通过输入字符串时左右要求输入密码的第二时间大于15字符通变量的值改变从0到1。不过，我一直无法作为尚未这样做。任何帮助将是非常美联社preciated！

Essentially, I am trying to alter the value of the pass variable from 0 to 1 by inputting a string that is greater than 15 characters when asked to input my password the second time around. However, I haven't been able to do so as of yet. Any help will be very appreciated!

推荐答案

我是能够利用你的OS X程序有一个改变你的code。这是定义在 tempbuff 通过。声明通在 tempbuff 表示传放置在 tempbuff 在堆栈上，因此四溢 tempbuff 将覆盖通过。我是能够检查通过和 tempbuff 在 LLDB （或 GDB ）。

I was able to exploit your program in OS X with one change to your code. That was to define pass before tempbuff. Declaring pass before tempbuff means that pass is placed after tempbuff on the stack and therefore overflowing tempbuff will overwrite pass. I was able to check the addresses of pass and tempbuff in lldb (or gdb).

我公司还与 -fno-堆栈保护选项编译它。

I also compiled it with the -fno-stack-protector option.

#include <stdio.h>
#include <string.h>

int main(void)
{
    char buff[15];
    int pass = 0;
    char tempbuff[15];

    printf("\n Enter a password of length between 1 and 15 characters : \n");
    gets(buff);

    printf("\n Enter your password : \n");
    gets(tempbuff);

    if(strcmp(tempbuff, buff))
    {
        printf ("\n Wrong Password \n");
    }
    else
    {
        printf ("\n Correct Password \n");
        pass = 1;
    }

    if(pass)
        printf ("\n Root privileges given to the user \n");

    return 0;
}

编译时：的gcc -Wall -Wextra -O0 -g -fno-堆栈保护buf.c -o BUF

下面是输入序列

safepassword
1234567890123456

下面是输出：

$ ./buf < over

 Enter a password of length between 1 and 15 characters :
warning: this program uses gets(), which is unsafe.

 Enter your password :

 Wrong Password

 Root privileges given to the user

这篇关于简单的缓冲区溢出漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！