EvilZone

Hacking and Security => Hacking and Security => : Kiuhnm October 21, 2014, 06:10:15 PM

: buffer overflow
: Kiuhnm October 21, 2014, 06:10:15 PM

I'm reading
https://security.web.cern.ch/security/recommendations/en/codetools/c.shtml (https://security.web.cern.ch/security/recommendations/en/codetools/c.shtml)

Right at the beginning the following code is shown:

:

#include <stdio.h>
int main () {
    char username[8];
    int allow = 0;
    printf external link("Enter your username, please: ");
    gets(username); // user inputs "malicious"
    if (grantAccess(username)) {
        allow = 1;
    }
    if (allow != 0) { // has been overwritten by the overflow of the username.
        privilegedAction();
    }
    return 0;
}

But isn't username above allow, in memory?

: Re: buffer overflow
: Kiuhnm October 22, 2014, 01:39:17 AM

No.

: Re: buffer overflow
: Stackprotector October 22, 2014, 01:45:27 AM

Launch up GDB and see for yourself :)

: Re: buffer overflow
: Kiuhnm October 22, 2014, 02:10:53 AM

: Factionwars  October 22, 2014, 01:45:27 AM

Launch up GDB and see for yourself :)

That's what I did, but I believe there is no hard rule. Maybe different compilers do things differently.
BTW, I hate gdb!

: Re: buffer overflow
: Stackprotector October 22, 2014, 02:19:50 AM

Learn 2 gdb and you will know it's all right. And yes compilers do weird shit all the time for optimization.

: Re: buffer overflow
: Kiuhnm October 22, 2014, 02:48:44 AM

I want to see the code, the registers and the memory all at once inside things called "windows"  :)
I don't see why I should use gdb instead of immunity, olly or IDA Pro.
Back in the day, I used Softice so I kinda like command-line interfaces but gdb takes it too far.

: Re: buffer overflow
: SarK0Y October 25, 2014, 11:34:00 PM

#include <stdio.h>
int main () {
    int rnd=random();
    char username[8];
    int canary=rnd;
    int allow = 0;
    printf external link("Enter your username, please: ");
    gets(username); // user inputs "malicious"
    if (canary!=rnd){
      printf("User, my Dear! :) Please, give me ok-sized string. It's only eight characters to input. Ain't it so compicated??? @@\n");
      exit;
    }
    if (grantAccess(username)) {
        allow = 1;
    }
    if (allow != 0) { // has been overwritten by the overflow of the username.
        privilegedAction();
    }
    return 0;
}

however, we can use even more simple way  ::)

#include <stdio.h>
int main () {
    char username[8];
    int allow = 0;
    printf external link("Enter your username, please: ");
    gets(username); // user inputs "malicious"
   
  if (allow==1){
      printf("User, my Dear! :) Please, give me ok-sized string. It's only eight characters long. ;-}) Ain't it so compicated??? @@\n");
      exit;
    }
    allow=0;
  if (grantAccess(username)) {
        allow = 1;
    }
    if (allow != 0) { // has been overwritten by the overflow of the username.
        privilegedAction();
    }
    return 0;
}

Meanwhile, 1st variant runs much safier  8)

: Re: buffer overflow
: SarK0Y October 25, 2014, 11:35:57 PM

ah, year -- seven chars long  ;D

: Re: buffer overflow
: Stackprotector October 26, 2014, 10:22:30 AM

Well this is nog really safe. You can easily bruteforce the canary. Try to use the default stack protectors given by the compiler.

: Re: buffer overflow
: SarK0Y October 26, 2014, 10:45:29 PM

: Factionwars  October 26, 2014, 10:22:30 AM

Well this is nog really safe. You can easily bruteforce the canary. Try to use the default stack protectors given by the compiler.

bruteforce via typing console??? theoretically it's possible, but brute forcing is only good for const canary: if each time you get new one, probability to take right canary becomes too low + good security limits the number of attempts ;) however, we can use more safe & reliable variant than canaries.
==============================================================
 char name[SIZE];//SIZE==40, for our case
char pswd[SIZE];
memset(name, 0, SIZE);
memset(pswd, 0, SIZE);
printf("Please, Enter username: \n");
fgets(name, SIZE-1, stdin);
int ch;
 while ((ch = getchar()) != '\n' && ch != EOF);//clears console buffer, otherwise ye'll get nasty behavior ;D
printf("\nPlease, Enter password: \n");
fgets(pswd, SIZE-1, stdin);
 while ((ch = getchar()) != '\n' && ch != EOF);
printf("Your name: %s\nYour password: %s\n", name, pswd);
======================================================
output:
Please, Enter username:
444444444444444444444444144444444444444444444444444444444444444444444444444444444

Please, Enter password:
bbbnjhgfjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjhgf
Your name: 44444444444444444444444414444444444444
Your password: bbbnjhgfjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj

Let's take wrong code:
====================================================
 char name[SIZE];
char pswd[SIZE];
memset(name, 0, SIZE);
memset(pswd, 0, SIZE);
printf("Please, Enter username: \n");
fgets(name, SIZE-1, stdin);
//system("clear");
//int ch;
 //while ((ch = getchar()) != '\n' && ch != EOF);//clears console buffer, otherwise ye'll get nasty behavior ;D
printf("\nPlease, Enter password: \n");
fgets(pswd, SIZE-1, stdin);
 while ((ch = getchar()) != '\n' && ch != EOF);
printf("Your name: %s\nYour password: %s\n", name, pswd);
==================================================
output:

Please, Enter username:
4444444444444444444444444444444444444444444444455555555555555555555555555

Please, Enter password:
44444444444444444444444444444444444444444444
Your name: 44444444444444444444444444444444444444
Your password: 44444444455555555555555555555555555

: Re: buffer overflow
: ande October 27, 2014, 01:11:46 PM

For fucks sake dude. Use code tags. [code ]code[/code ]