hi dis is dileep,
iam new to this topic. but i has to learn the things for my academic project. Please anybody give me the sompe sample programs for bufferoverflow in c language.
hi dis is dileep,
iam new to this topic. but i has to learn the things for my academic project. Please anybody give me the sompe sample programs for bufferoverflow in c language.
What do you understand by "buffer overflow"? You should be able to construct a very simple example yourself given that understanding.
Look up a C++ Reference and learn How To Ask Questions The Smart WayOriginally Posted by Bjarne Stroustrup (2000-10-14)
gets() would be a great candidate for a good buffer overflow example.
I don't have such an example, but you should be able to find several with a bit of googling.
While C's simplicity increases the programmer's control and the efficiency of the resulting programs, it can also result in programs that are vulnerable to buffer overflows and memory leaks if the programmer isn't careful. This means that once a variable is allocated memory, there are no built-in safeguards to ensure that the contents of a variable fit into the allocated memory space. If a programmer wants to put ten bytes of data into a buffer that had only been allocated eight bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. This is known as a buffer overrun or buffer overflow, since the extra two bytes of data will overflow and spill out of the allocated memory, overwriting whatever happens to come next. If a critical piece of data is overwritten, the program will crash. The overflow_example.c code offers an example.Source: Hacking: The Art of Exploitation - Wikipedia, the free encyclopediaCode:#include <stdio.h> #include <string.h> int main(int argc, char *argv[]) { int value = 5; char buffer_one[8], buffer_two[8]; strcpy(buffer_one, "one"); /* Put "one" into buffer_one. */ strcpy(buffer_two, "two"); /* Put "two" into buffer_two. */ printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value); printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1])); strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */ printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); }
I've always been a fan of the following brain-dead example:
Code:#include <stdio.h> int main() { int *a[1]; int i; printf("Main\n"); for(i = 0; i < 10; i++) a[i] = main; }
You think that should compile? It shouldn't.
A better example should be:
Code:int main() { int a[1]; for (int i = 0; i < 10; i++) a[i] = 0; }
Your example removes all the coolness. The reason for using main as the value is so that the stack return address gets overwritten with the address of main, causing an infinite loop when the function tries to return. Yes, it might not compile as-is, but it would with an appropriate cast.
Code://try //{ if (a) do { f( b); } while(1); else do { f(!b); } while(1); //}
I'm fine with the example if it would compile.
So if we would use a real function pointer, that would be cool.
And let's not rely on old coding styles...Code:typedef int (main_ptr)(); int main() { main_ptr* ptr[1]; for (int i = 0; i < 10; i++) ptr[i] = &main; }
Well, I just tried it myself and it doesn't work anyway with gcc 4.1.2 at least. I think what is happening is that the store for the 'i' variable is allocated above the memory for the 'a' array, and the loop overwrites i itself with the address of main() and prematurely terminates. I tried declaring i as register, and then it just started crashing.
Would be a cool demo if it did work, and I'm sure it does, on some compilers.
Code://try //{ if (a) do { f( b); } while(1); else do { f(!b); } while(1); //}
Speaking of overflows....question for the Windows gurus out there.... back in the WinXP/Win2K era there was a way of blue-screening a Windows box with a printf() that went something like:
Did anyone ever figure out why that happened? Just curious...Code:for(int x = 0; x < 5; x++) printf("\t\t\b\b\b");
We can always try
/boots up Visual Studio.
This was a special cheat included by the developers, so if there was a bug that could not be traced, we just leave a "Blue screen of death" event so that most users will be unable to figure out what to blame. Unfortunately, the cheat was a little too simple -- kind of like pressing ctrl-space twice to reload all your weapons.
Just kidding.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
I got it working:
This recurs endlessly on Visual Studio.Code:#include <stdlib.h> typedef int (main_ptr)(); int main() { main_ptr* ptr[1]; printf("Main!\n"); for (int i = 0; i < 3; i++) ptr[i] = &main; __asm sub ebp, 4; }
Last edited by Elysia; 12-18-2009 at 04:15 PM.
What are you talking about?
Taking the address of a function without the &.
