1. 首页
  2. 问答
  3. 简单的缓冲区溢出漏洞利用

简单的缓冲区溢出漏洞利用

2015-11-06 71 views
0

我想写一个非常简单的程序,强调如何缓冲区溢出漏洞利用可以绕过密码保护系统。通过输入一个字符串时,要求输入我的密码的第二次,大于15个字符简单的缓冲区溢出漏洞利用

#include <stdio.h> 
#include <string.h> 

int main(void) 
{ 
    char buff[15]; 
    char tempbuff[15]; 
    int pass = 0; 

    printf("\n Enter a password of length between 1 and 15 characters : \n"); 
    gets(buff); 
    //strcpy("%s",buff); 

    printf("\n Enter your password : \n"); 
    gets(tempbuff); 
    //strcpy("%s",tempbuff); 

    if(strcmp(tempbuff, buff)) 
    { 
     printf ("\n Wrong Password \n"); 

    } 
    else 
    { 
     printf ("\n Correct Password \n"); 
     pass = 1; 
    } 

    if(pass) 
    { 
     /* Now Give root or admin rights to user*/ 
     printf ("\n Root privileges given to the user \n"); 
    } 

    return 0; 
}

从本质上讲,我试图从0通变量的值修改为1:该代码如下。但是,我还没有做到这一点。任何帮助将非常感激!

来源

2015-11-06 user2904796

+0

你用Google搜索“如何利用缓冲区溢出C”? – Arc676

+0

相关:http://stackoverflow.com/questions/6220212/buffer-overflow-in-c – Arc676

+0

我已经编译到程序集,但似乎无法确定传递变量所在的位置。 – user2904796

回答

1

我能够在OS X中利用您的程序,并对代码进行一次更改。那是在tempbuff之前定义pass。在tempbuff之前声明pass意味着pass放置在堆栈上的tempbuff之后,因此溢出tempbuff将覆盖pass。我可以在lldb(或gdb)查看passtempbuff的地址。

我也编译它与-fno-stack-protector选项。

#include <stdio.h> 
#include <string.h> 

int main(void) 
{ 
    char buff[15]; 
    int pass = 0; 
    char tempbuff[15]; 

    printf("\n Enter a password of length between 1 and 15 characters : \n"); 
    gets(buff); 

    printf("\n Enter your password : \n"); 
    gets(tempbuff); 

    if(strcmp(tempbuff, buff)) 
    { 
     printf ("\n Wrong Password \n"); 
    } 
    else 
    { 
     printf ("\n Correct Password \n"); 
     pass = 1; 
    } 

    if(pass) 
     printf ("\n Root privileges given to the user \n"); 

    return 0; 
}

编译时:gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf

这里是输入序列:

safepassword 
123456789

这里是输出:

$ ./buf < over 

Enter a password of length between 1 and 15 characters : 
warning: this program uses gets(), which is unsafe. 

Enter your password : 

Wrong Password 

Root privileges given to the user

来源

2015-11-06 05:14:41 jayant

1

有顺序没有保证在其中内存将被分配给本地变量,并且不能保证它们会进入连续的地点。以下修改后的代码应该在大多数系统中工作。它采用的是结构元素被分配连续的内存位置的事实(也注意到,数组的大小已更改,以避免填充。)

#include <stdio.h> 
#include <string.h> 

struct app { 
    char buff[16]; 
    char tempbuff[16]; 
    int pass; 
}; 

int main(void) 
{ 
    struct app app; 
    app.pass = 0; 

    printf("\n Enter a password of length between 1 and 15 characters : \n"); 
    gets(app.buff); 
    //strcpy("%s",buff); 

    printf("\n Enter your password : \n"); 
    gets(app.tempbuff); 
    //strcpy("%s",tempbuff); 

    if(strcmp(app.tempbuff, app.buff)) 
    { 
     printf ("\n Wrong Password \n"); 

    } 
    else 
    { 
     printf ("\n Correct Password \n"); 
     app.pass = 1; 
    } 

    if(app.pass) 
    { 
     /* Now Give root or admin rights to user*/ 
     printf ("\n Root privileges given to the user \n"); 
    } 

    return 0; 
}

来源

2015-11-06 05:18:27

相关问题

 相关问题