1. 首頁
  2. 問答
  3. 簡單的緩衝區溢出漏洞利用

簡單的緩衝區溢出漏洞利用

2015-11-06 45 views
0

我想寫一個非常簡單的程序,強調如何緩衝區溢出漏洞利用可以繞過密碼保護系統。通過輸入一個字符串時,要求輸入我的密碼的第二次,大於15個字符簡單的緩衝區溢出漏洞利用

#include <stdio.h> 
#include <string.h> 

int main(void) 
{ 
    char buff[15]; 
    char tempbuff[15]; 
    int pass = 0; 

    printf("\n Enter a password of length between 1 and 15 characters : \n"); 
    gets(buff); 
    //strcpy("%s",buff); 

    printf("\n Enter your password : \n"); 
    gets(tempbuff); 
    //strcpy("%s",tempbuff); 

    if(strcmp(tempbuff, buff)) 
    { 
     printf ("\n Wrong Password \n"); 

    } 
    else 
    { 
     printf ("\n Correct Password \n"); 
     pass = 1; 
    } 

    if(pass) 
    { 
     /* Now Give root or admin rights to user*/ 
     printf ("\n Root privileges given to the user \n"); 
    } 

    return 0; 
}

從本質上講,我試圖從0通變量的值修改爲1:該代碼如下。但是,我還沒有做到這一點。任何幫助將非常感激!

來源

2015-11-06 user2904796

+0

你用Google搜索「如何利用緩衝區溢出C」? – Arc676

+0

相關:http://stackoverflow.com/questions/6220212/buffer-overflow-in-c – Arc676

+0

我已經編譯到程序集,但似乎無法確定傳遞變量所在的位置。 – user2904796

回答

1

我能夠在OS X中利用您的程序,並對代碼進行一次更改。那是在tempbuff之前定義pass。在tempbuff之前聲明pass意味着pass放置在堆棧上的tempbuff之後,因此溢出tempbuff將覆蓋pass。我可以在lldb(或gdb)查看passtempbuff的地址。

我也編譯它與-fno-stack-protector選項。

#include <stdio.h> 
#include <string.h> 

int main(void) 
{ 
    char buff[15]; 
    int pass = 0; 
    char tempbuff[15]; 

    printf("\n Enter a password of length between 1 and 15 characters : \n"); 
    gets(buff); 

    printf("\n Enter your password : \n"); 
    gets(tempbuff); 

    if(strcmp(tempbuff, buff)) 
    { 
     printf ("\n Wrong Password \n"); 
    } 
    else 
    { 
     printf ("\n Correct Password \n"); 
     pass = 1; 
    } 

    if(pass) 
     printf ("\n Root privileges given to the user \n"); 

    return 0; 
}

編譯時:gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf

這裏是輸入序列:

safepassword 
123456789

這裏是輸出:

$ ./buf < over 

Enter a password of length between 1 and 15 characters : 
warning: this program uses gets(), which is unsafe. 

Enter your password : 

Wrong Password 

Root privileges given to the user

來源

2015-11-06 05:14:41 jayant

1

有順序沒有保證在其中內存將被分配給本地變量,並且不能保證它們會進入連續的地點。以下修改後的代碼應該在大多數系統中工作。它採用的是結構元素被分配連續的內存位置的事實(也注意到,數組的大小已更改,以避免填充。)

#include <stdio.h> 
#include <string.h> 

struct app { 
    char buff[16]; 
    char tempbuff[16]; 
    int pass; 
}; 

int main(void) 
{ 
    struct app app; 
    app.pass = 0; 

    printf("\n Enter a password of length between 1 and 15 characters : \n"); 
    gets(app.buff); 
    //strcpy("%s",buff); 

    printf("\n Enter your password : \n"); 
    gets(app.tempbuff); 
    //strcpy("%s",tempbuff); 

    if(strcmp(app.tempbuff, app.buff)) 
    { 
     printf ("\n Wrong Password \n"); 

    } 
    else 
    { 
     printf ("\n Correct Password \n"); 
     app.pass = 1; 
    } 

    if(app.pass) 
    { 
     /* Now Give root or admin rights to user*/ 
     printf ("\n Root privileges given to the user \n"); 
    } 

    return 0; 
}

來源

2015-11-06 05:18:27

相關問題

 相關問題