buffer overflow

[Kiuhnm]

I'm reading
https://security.web.cern.ch/security/recommendations/en/codetools/c.shtml

Right at the beginning the following code is shown:

Code: [Select]

#include <stdio.h>
int main () {
    char username[8];
    int allow = 0;
    printf external link("Enter your username, please: ");
    gets(username); // user inputs "malicious"
    if (grantAccess(username)) {
        allow = 1;
    }
    if (allow != 0) { // has been overwritten by the overflow of the username.
        privilegedAction();
    }
    return 0;
}

But isn't username above allow, in memory?

[Kiuhnm]

No.

[Stackprotector]

Launch up GDB and see for yourself

[Kiuhnm]

Launch up GDB and see for yourself

That's what I did, but I believe there is no hard rule. Maybe different compilers do things differently.
BTW, I hate gdb!

[Stackprotector]

Learn 2 gdb and you will know it's all right. And yes compilers do weird shit all the time for optimization.

[Kiuhnm]

I want to see the code, the registers and the memory all at once inside things called "windows" 
I don't see why I should use gdb instead of immunity, olly or IDA Pro.
Back in the day, I used Softice so I kinda like command-line interfaces but gdb takes it too far.

[SarK0Y]

#include <stdio.h>
int main () {
    int rnd=random();
    char username[8];
    int canary=rnd;
    int allow = 0;
    printf external link("Enter your username, please: ");
    gets(username); // user inputs "malicious"
    if (canary!=rnd){
      printf("User, my Dear! Please, give me ok-sized string. It's only eight characters to input. Ain't it so compicated??? @@\n");
      exit;
    }
    if (grantAccess(username)) {
        allow = 1;
    }
    if (allow != 0) { // has been overwritten by the overflow of the username.
        privilegedAction();
    }
    return 0;
}

however, we can use even more simple way 

#include <stdio.h>
int main () {
    char username[8];
    int allow = 0;
    printf external link("Enter your username, please: ");
    gets(username); // user inputs "malicious"
   
  if (allow==1){
      printf("User, my Dear! Please, give me ok-sized string. It's only eight characters long. ;-}) Ain't it so compicated??? @@\n");
      exit;
    }
    allow=0;
  if (grantAccess(username)) {
        allow = 1;
    }
    if (allow != 0) { // has been overwritten by the overflow of the username.
        privilegedAction();
    }
    return 0;
}

Meanwhile, 1st variant runs much safier 

[SarK0Y]

ah, year -- seven chars long 

[Stackprotector]

Well this is nog really safe. You can easily bruteforce the canary. Try to use the default stack protectors given by the compiler.

[SarK0Y]

Well this is nog really safe. You can easily bruteforce the canary. Try to use the default stack protectors given by the compiler.

bruteforce via typing console??? theoretically it's possible, but brute forcing is only good for const canary: if each time you get new one, probability to take right canary becomes too low + good security limits the number of attempts however, we can use more safe & reliable variant than canaries.
==============================================================
 char name[SIZE];//SIZE==40, for our case
char pswd[SIZE];
memset(name, 0, SIZE);
memset(pswd, 0, SIZE);
printf("Please, Enter username: \n");
fgets(name, SIZE-1, stdin);
int ch;
 while ((ch = getchar()) != '\n' && ch != EOF);//clears console buffer, otherwise ye'll get nasty behavior
printf("\nPlease, Enter password: \n");
fgets(pswd, SIZE-1, stdin);
 while ((ch = getchar()) != '\n' && ch != EOF);
printf("Your name: %s\nYour password: %s\n", name, pswd);
======================================================
output:
Please, Enter username:
444444444444444444444444144444444444444444444444444444444444444444444444444444444

Please, Enter password:
bbbnjhgfjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjhgf
Your name: 44444444444444444444444414444444444444
Your password: bbbnjhgfjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj

Let's take wrong code:
====================================================
 char name[SIZE];
char pswd[SIZE];
memset(name, 0, SIZE);
memset(pswd, 0, SIZE);
printf("Please, Enter username: \n");
fgets(name, SIZE-1, stdin);
//system("clear");
//int ch;
 //while ((ch = getchar()) != '\n' && ch != EOF);//clears console buffer, otherwise ye'll get nasty behavior
printf("\nPlease, Enter password: \n");
fgets(pswd, SIZE-1, stdin);
 while ((ch = getchar()) != '\n' && ch != EOF);
printf("Your name: %s\nYour password: %s\n", name, pswd);
==================================================
output:

Please, Enter username:
4444444444444444444444444444444444444444444444455555555555555555555555555

Please, Enter password:
44444444444444444444444444444444444444444444
Your name: 44444444444444444444444444444444444444
Your password: 44444444455555555555555555555555555

[ande]

For fucks sake dude. Use code tags. [code ]code[/code ]