简单缓冲区溢出漏洞利用

时间:2015-11-06 03:15:16

标签: c buffer-overflow

我正在尝试编写一个非常简单的程序,该程序突出显示了如何使用缓冲区溢出漏洞绕过受密码保护的系统。代码如下:

#include <stdio.h>
#include <string.h>

int main(void)
{
    char buff[15];
    char tempbuff[15];
    int pass = 0;

    printf("\n Enter a password of length between 1 and 15 characters : \n");
    gets(buff);
    //strcpy("%s",buff);

    printf("\n Enter your password : \n");
    gets(tempbuff);
    //strcpy("%s",tempbuff);

    if(strcmp(tempbuff, buff))
    {
        printf ("\n Wrong Password \n");

    }
    else
    {
        printf ("\n Correct Password \n");
        pass = 1;
    }

    if(pass)
    {
       /* Now Give root or admin rights to user*/
        printf ("\n Root privileges given to the user \n");
    }

    return 0;
}

基本上,当我被要求第二次输入密码时,我试图通过输入一个大于15个字符的字符串来将pass变量的值从0改为1。但是,到目前为止我还没能这样做。任何帮助将非常感谢!

2 个答案:

答案 0 :(得分:1)

我能够通过对代码进行一次更改来利用OS X中的程序。那是在pass之前定义tempbuff。在pass之前声明tempbuff表示pass放置在堆栈tempbuff之后,因此溢出tempbuff将覆盖pass。我能够在pass(或tempbuff)中查看lldbgdb的地址。

我还使用-fno-stack-protector选项编译它。 

#include <stdio.h>
#include <string.h>

int main(void)
{
    char buff[15];
    int pass = 0;
    char tempbuff[15];

    printf("\n Enter a password of length between 1 and 15 characters : \n");
    gets(buff);

    printf("\n Enter your password : \n");
    gets(tempbuff);

    if(strcmp(tempbuff, buff))
    {
        printf ("\n Wrong Password \n");
    }
    else
    {
        printf ("\n Correct Password \n");
        pass = 1;
    }

    if(pass)
        printf ("\n Root privileges given to the user \n");

    return 0;
}

编译:{{1​​}}

这是输入序列:

gcc -Wall -Wextra -O0 -g -fno-stack-protector    buf.c   -o buf

这是输出:

safepassword
1234567890123456

答案 1 :(得分:1)

无法保证为局部变量分配内存的顺序,并且无法保证它们将位于连续的位置。以下修改后的代码应该适用于大多数系统。它使用了结构元素被分配连续内存位置的事实(还要注意数组大小已被更改以避免填充。)

#include <stdio.h>
#include <string.h>

struct app {
    char buff[16];
    char tempbuff[16];
    int pass;
};

int main(void)
{
   struct app app;
   app.pass = 0;

    printf("\n Enter a password of length between 1 and 15 characters : \n");
    gets(app.buff);
    //strcpy("%s",buff);

    printf("\n Enter your password : \n");
    gets(app.tempbuff);
    //strcpy("%s",tempbuff);

    if(strcmp(app.tempbuff, app.buff))
    {
        printf ("\n Wrong Password \n");

    }
    else
    {
        printf ("\n Correct Password \n");
        app.pass = 1;
    }

    if(app.pass)
    {
       /* Now Give root or admin rights to user*/
        printf ("\n Root privileges given to the user \n");
    }

    return 0;
}
相关问题
最新问题