简单的缓冲区溢出漏洞利用
Simple Buffer Overflow Exploit
我正在尝试编写一个非常简单的程序来强调如何使用缓冲区溢出漏洞来绕过受密码保护的系统。代码如下:
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
char tempbuff[15];
int pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
本质上,当我第二次被要求输入我的密码时,我试图通过输入一个大于 15 个字符的字符串来将 pass 变量的值从 0 更改为 1。但是,到目前为止我还不能这样做。任何帮助将不胜感激!
我能够在 OS X 中利用您的程序,只需更改您的代码即可。那就是在tempbuff之前定义pass。在 tempbuff 之前声明 pass 意味着 pass 放在堆栈上的 tempbuff 之后,因此溢出 tempbuff 将覆盖 pass。我能够在 lldb(或 gdb)中检查 pass 和 tempbuff 的地址。
我也是用-fno-stack-protector选项编译的。
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
int pass = 0;
char tempbuff[15];
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
printf("\n Enter your password : \n");
gets(tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
printf ("\n Root privileges given to the user \n");
return 0;
}
编译:gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf
这里是输入序列:
safepassword
1234567890123456
这是输出:
$ ./buf < over
Enter a password of length between 1 and 15 characters :
warning: this program uses gets(), which is unsafe.
Enter your password :
Wrong Password
Root privileges given to the user
无法保证为局部变量分配内存的顺序,也无法保证它们位于连续的位置。以下修改后的代码应该适用于大多数系统。它使用结构元素分配连续内存位置这一事实(另请注意,数组大小已更改以避免填充。)
#include <stdio.h>
#include <string.h>
struct app {
char buff[16];
char tempbuff[16];
int pass;
};
int main(void)
{
struct app app;
app.pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(app.buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(app.tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(app.tempbuff, app.buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
app.pass = 1;
}
if(app.pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
我正在尝试编写一个非常简单的程序来强调如何使用缓冲区溢出漏洞来绕过受密码保护的系统。代码如下:
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
char tempbuff[15];
int pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
本质上,当我第二次被要求输入我的密码时,我试图通过输入一个大于 15 个字符的字符串来将 pass 变量的值从 0 更改为 1。但是,到目前为止我还不能这样做。任何帮助将不胜感激!
我能够在 OS X 中利用您的程序,只需更改您的代码即可。那就是在tempbuff之前定义pass。在 tempbuff 之前声明 pass 意味着 pass 放在堆栈上的 tempbuff 之后,因此溢出 tempbuff 将覆盖 pass。我能够在 lldb(或 gdb)中检查 pass 和 tempbuff 的地址。
我也是用-fno-stack-protector选项编译的。
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
int pass = 0;
char tempbuff[15];
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
printf("\n Enter your password : \n");
gets(tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
printf ("\n Root privileges given to the user \n");
return 0;
}
编译:gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf
这里是输入序列:
safepassword
1234567890123456
这是输出:
$ ./buf < over
Enter a password of length between 1 and 15 characters :
warning: this program uses gets(), which is unsafe.
Enter your password :
Wrong Password
Root privileges given to the user
无法保证为局部变量分配内存的顺序,也无法保证它们位于连续的位置。以下修改后的代码应该适用于大多数系统。它使用结构元素分配连续内存位置这一事实(另请注意,数组大小已更改以避免填充。)
#include <stdio.h>
#include <string.h>
struct app {
char buff[16];
char tempbuff[16];
int pass;
};
int main(void)
{
struct app app;
app.pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(app.buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(app.tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(app.tempbuff, app.buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
app.pass = 1;
}
if(app.pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}