Bufferoverflow in c

dileep · 12-18-2009, 03:44 AM

hi dis is dileep,

iam new to this topic. but i has to learn the things for my academic project. Please anybody give me the sompe sample programs for bufferoverflow in c language.

**laserlight** · 12-18-2009, 03:47 AM

What do you understand by "buffer overflow"? You should be able to construct a very simple example yourself given that understanding.

Adak · 12-18-2009, 04:06 AM

gets() would be a great candidate for a good buffer overflow example.

I don't have such an example, but you should be able to find several with a bit of googling.

JOZZY& Wakko · 12-18-2009, 06:02 AM

Quote:

While C's simplicity increases the programmer's control and the efficiency of the resulting programs, it can also result in programs that are vulnerable to buffer overflows and memory leaks if the programmer isn't careful. This means that once a variable is allocated memory, there are no built-in safeguards to ensure that the contents of a variable fit into the allocated memory space. If a programmer wants to put ten bytes of data into a buffer that had only been allocated eight bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. This is known as a buffer overrun or buffer overflow, since the extra two bytes of data will overflow and spill out of the allocated memory, overwriting whatever happens to come next. If a critical piece of data is overwritten, the program will crash. The overflow_example.c code offers an example.

Code:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
   int value = 5;
   char buffer_one[8], buffer_two[8];
   
   strcpy(buffer_one, "one"); /* Put "one" into buffer_one. */
   strcpy(buffer_two, "two"); /* Put "two" into buffer_two. */
   
   printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
   printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
   printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value);
   
   printf("\n[STRCPY] copying %d bytes into buffer_two\n\n",  strlen(argv[1]));
   strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
   
   printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
   printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
   printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); 
}

Source: Hacking: The Art of Exploitation - Wikipedia, the free encyclopedia

EVOEx · 12-18-2009, 07:31 AM

I've always been a fan of the following brain-dead example:

Code:

#include <stdio.h>

int main()
{
  int *a[1];
  int i;

  printf("Main\n");

  for(i = 0; i < 10; i++)
    a[i] = main;
}

Elysia · 12-18-2009, 03:21 PM

You think that should compile? It shouldn't.
A better example should be:

Code:

int main()
{
    int a[1];

    for (int i = 0; i < 10; i++)
        a[i] = 0;
}

brewbuck · 12-18-2009, 03:28 PM

Quote:

Originally Posted by Elysia

You think that should compile? It shouldn't.
A better example should be:

Code:

int main()
{
    int a[1];

    for (int i = 0; i < 10; i++)
        a[i] = 0;
}

Your example removes all the coolness. The reason for using main as the value is so that the stack return address gets overwritten with the address of main, causing an infinite loop when the function tries to return. Yes, it might not compile as-is, but it would with an appropriate cast.

Elysia · 12-18-2009, 03:32 PM

I'm fine with the example if it would compile.
So if we would use a real function pointer, that would be cool.

Code:

typedef int (main_ptr)();
int main()
{
    main_ptr* ptr[1];
    for (int i = 0; i < 10; i++)
        ptr[i] = &main;
}

And let's not rely on old coding styles...

brewbuck · 12-18-2009, 03:35 PM

Quote:

Originally Posted by Elysia

I'm fine with the example if it would compile.
So if we would use a real function pointer, that would be cool.

Well, I just tried it myself and it doesn't work anyway with gcc 4.1.2 at least. I think what is happening is that the store for the 'i' variable is allocated above the memory for the 'a' array, and the loop overwrites i itself with the address of main() and prematurely terminates. I tried declaring i as register, and then it just started crashing.

Would be a cool demo if it did work, and I'm sure it does, on some compilers.

jeffcobb · 12-18-2009, 03:36 PM

Speaking of overflows....question for the Windows gurus out there.... back in the WinXP/Win2K era there was a way of blue-screening a Windows box with a printf() that went something like:

Code:

for(int x = 0; x < 5; x++)
     printf("\t\t\b\b\b");

Did anyone ever figure out why that happened? Just curious...

Elysia · 12-18-2009, 03:37 PM

Quote:

Originally Posted by brewbuck

Well, I just tried it myself and it doesn't work anyway with gcc 4.1.2 at least. I think what is happening is that the store for the 'i' variable is allocated above the memory for the 'a' array, and the loop overwrites i itself with the address of main() and prematurely terminates. I tried declaring i as register, and then it just started crashing.

Would be a cool demo if it did work, and I'm sure it does, on some compilers.

We can always try

/boots up Visual Studio.

MK27 · 12-18-2009, 03:49 PM

Quote:

Originally Posted by jeffcobb

Speaking of overflows....question for the Windows gurus out there.... back in the WinXP/Win2K era there was a way of blue-screening a Windows box with a printf() that went something like:

Code:

for(int x = 0; x < 5; x++)
     printf("\t\t\b\b\b");

Did anyone ever figure out why that happened? Just curious...

This was a special cheat included by the developers, so if there was a bug that could not be traced, we just leave a "Blue screen of death" event so that most users will be unable to figure out what to blame. Unfortunately, the cheat was a little too simple -- kind of like pressing ctrl-space twice to reload all your weapons.

Just kidding.

Elysia · 12-18-2009, 04:01 PM

I got it working:

Code:

#include <stdlib.h>

typedef int (main_ptr)();
int main()
{
	main_ptr* ptr[1];
	printf("Main!\n");
	for (int i = 0; i < 3; i++)
		ptr[i] = &main;

	__asm sub ebp, 4;
}

This recurs endlessly on Visual Studio.

whiteflags · 12-18-2009, 04:18 PM

Quote:

Originally Posted by Elysia

And let's not rely on old coding styles...

What are you talking about?

Elysia · 12-18-2009, 04:20 PM

Taking the address of a function without the &.

12-18-2009, 03:44 AM	#1
dileep Registered User Join Date: Dec 2009 Posts: 1	Bufferoverflow in c hi dis is dileep, iam new to this topic. but i has to learn the things for my academic project. Please anybody give me the sompe sample programs for bufferoverflow in c language.
dileep is offline

12-18-2009, 03:47 AM	#2
laserlight C++ Witch Join Date: Oct 2003 Location: Singapore Posts: 12,460	What do you understand by "buffer overflow"? You should be able to construct a very simple example yourself given that understanding. __________________ C + C++ Compiler: MinGW port of GCC Build + Version Control System: SCons + Bazaar Look up a C/C++ Reference and learn How To Ask Questions The Smart Way
laserlight is online now

12-18-2009, 04:06 AM	#3
Adak Registered User Join Date: Sep 2006 Posts: 3,720	gets() would be a great candidate for a good buffer overflow example. I don't have such an example, but you should be able to find several with a bit of googling.
Adak is offline

12-18-2009, 07:31 AM	#5
EVOEx Registered User Join Date: Oct 2008 Posts: 943	I've always been a fan of the following brain-dead example: Code: #include <stdio.h> int main() { int *a[1]; int i; printf("Main\n"); for(i = 0; i < 10; i++) a[i] = main; }
EVOEx is offline

12-18-2009, 03:36 PM	#10
jeffcobb Registered User Join Date: Dec 2009 Location: Henderson, NV Posts: 887	Speaking of overflows....question for the Windows gurus out there.... back in the WinXP/Win2K era there was a way of blue-screening a Windows box with a printf() that went something like: Code: for(int x = 0; x < 5; x++) printf("\t\t\b\b\b"); Did anyone ever figure out why that happened? Just curious... __________________ C/C++ Environment: GNU CC/Emacs Make system: CMake Debuggers: Valgrind/GDB
jeffcobb is offline

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
C bufferoverflow question. can anyone solve it?	asdfgh	Linux Programming	2	11-03-2009 01:40 PM
Constructive criticism, suggestions etc	BobS0327	C Programming	3	01-08-2006 09:35 AM