Thread: strcmp buffer overflow

  1. #1
    Registered User
    Join Date
    Nov 2010
    Posts
    6

    Question strcmp buffer overflow

    Can you check this out: C | #include <stdio.h> char use - Anonymous - PLhjE5cG - Pastebin.com

    The executable file takes one argument, a txt file that contains username and password.
    I realize that the strcmp can be overflowed to overwrite the adjacent variables, but I don't know how to do it since I am new to this field.

    Can you please tell me what kind of "input" i can use to overflow the function and thus be able to get the system to print "Welcome.." instead of "Connection refused", without knowing the user/pass combination?

    I would really appreciate it, thanks!

  2. #2
    Registered User claudiu's Avatar
    Join Date
    Feb 2010
    Location
    London, United Kingdom
    Posts
    2,094
    Ehh no! Unless you can prove that this is for some school assignment we don't help people with a nefarious agenda.
    1. Get rid of gets(). Never ever ever use it again. Replace it with fgets() and use that instead.
    2. Get rid of void main and replace it with int main(void) and return 0 at the end of the function.
    3. Get rid of conio.h and other antiquated DOS crap headers.
    4. Don't cast the return value of malloc, even if you always always always make sure that stdlib.h is included.

  3. #3
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    strcmp is not prone to buffer overflows...
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  4. #4
    Registered User
    Join Date
    Nov 2010
    Posts
    6
    Hi again,

    It is a school assignment, it's the first part of two parts, but I need to get this done first then i need to know what are the reasons it was causing an overflow and try and fix it. The program is very simple, it's really an academic example. But I am very new to all this.

    Thanks again

  5. #5
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > for(i=(unsigned)-3; i && !check_name(); i++);
    Who's teaching you this rubbish?

    i = 0 ; i < 3 ; i++
    If you want it to be obvious to 99% of programmers.

    Overflow should be easy, you use gets().
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  6. #6
    Registered User
    Join Date
    Nov 2010
    Posts
    6
    Quote Originally Posted by Salem View Post
    > for(i=(unsigned)-3; i && !check_name(); i++);
    Who's teaching you this rubbish?

    i = 0 ; i < 3 ; i++
    If you want it to be obvious to 99% of programmers.

    Overflow should be easy, you use gets().
    Thanks for your reply. Well, it is an academic example, so it's not a real program. The problem is that I don't know how to buffer overflow it. Can you please try and explain to me on his program how i can overflow gets() so it can print Welcome instead of Refused?

    Thanks!

  7. #7
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    The solution is simple: enter more then 19 characters in the username or password input. Then you've created a buffer overrun. To manipulate data in the program, such as changing the built-in username/password array that you have, is difficult, however.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  8. #8
    Registered User
    Join Date
    Nov 2010
    Posts
    6
    Quote Originally Posted by Elysia View Post
    The solution is simple: enter more then 19 characters in the username or password input. Then you've created a buffer overrun. To manipulate data in the program, such as changing the built-in username/password array that you have, is difficult, however.
    But the idea is to try and get the program to print Welcome and not just exit. I was told I need to try and change the value of "i" to be able to get to think i have entered a right use/pass combo. But what kind of character sequence do i have to put after the first 19 chars to do that?

  9. #9
    Registered User
    Join Date
    Nov 2010
    Posts
    6
    Okay so i tried putting a lot of characters into the txt file and the exec file crashed. However, no matter how many or what char i use, the EIP still has the same value. What am i doing wrong?

  10. #10
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    Quote Originally Posted by ligrec View Post
    Okay so i tried putting a lot of characters into the txt file and the exec file crashed. However, no matter how many or what char i use, the EIP still has the same value. What am i doing wrong?
    The more appropriate question is.... What is it doing right?

    If you can't befoul it, that's a good thing.

  11. #11
    Registered User
    Join Date
    Nov 2010
    Location
    Long Beach, CA
    Posts
    5,909
    I was told I need to try and change the value of "i" to be able to get to think i have entered a right use/pass combo.
    Who told you that? user_name, password and users are global variables, residing in the data portion of memory, with a very small address. i is a stack variable, living way up in the high memory addresses. Overflowing them to change the value of i would require megabytes or gigabytes of data. And you have to know exactly where to stop to avoid overwriting any other important values on the stack, like other variables, function return addresses, etc. That's obviously impractical; are you sure you didn't misunderstand? Overflowing into the users table is relatively easy, requiring 40ish characters, and the program gives me a welcome prompt with my bogus username and password.

  12. #12
    Registered User
    Join Date
    Nov 2010
    Posts
    6
    Quote Originally Posted by anduril462 View Post
    Who told you that? user_name, password and users are global variables, residing in the data portion of memory, with a very small address. i is a stack variable, living way up in the high memory addresses. Overflowing them to change the value of i would require megabytes or gigabytes of data. And you have to know exactly where to stop to avoid overwriting any other important values on the stack, like other variables, function return addresses, etc. That's obviously impractical; are you sure you didn't misunderstand? Overflowing into the users table is relatively easy, requiring 40ish characters, and the program gives me a welcome prompt with my bogus username and password.
    Okay after reading (And watching!) alot of articles (and videos) I think I can update my understanding of the problem to the following:

    1. gets() is the vulnerable function, not strcmp()
    2. I don't need to overflow so i can rewrite "i", i need to overflow so i can redirect the program to the function called "logon", that way it prints to me Welcome

    The problem I am still facing is that, no matter how many bogus characters I put into the file, the EIP is never rewritten! It still holds the same value. I have attached the error reporting when the exe file crashes the command prompt. Hopefully it's of any guidance.

    Also, how can i overflow it into the users table? That seems an interesting idea... how did you do it?

    Thank you all

  13. #13
    Registered User
    Join Date
    Nov 2010
    Location
    Long Beach, CA
    Posts
    5,909
    You're not going to be able to overflow EIP. That's a CPU register, and doesn't have a memory address the way variables do. As for the hack...

    You now know that gets is susceptible to buffer overflows. You need to understand where your different structures/variables lie in memory and how much space they take up. The space thing is pretty easy, since a char is 1 byte and user_name has 20 of them, as does password. users has 2*20*4 of them, but it's more important to realize that you have something like (it's making me use code tags).
    Code:
    user_name: {"                    "}
    password: {"                    "}
    users:
    {'r', 'o', 'o', 't', '\0'...'9', '8', '7', '6', '5', '\0'...}
    {'m', 'o', 'i', '\0'...}
    ...
    user_name comes first in memory, then password, then users. Thus, extra stuff that you type into the user_name prompt will overflow into password, then into the users table. Any extra stuff you type into password would only overflow into users. The idea is that you put a carefully crafted string into user_name, that will ultimately write different info into users (giving you a "valid" users entry of, say "1337", "hax0r" as a login & password). Remember that gets is going to put a null character at the end of your input.

    I had a bit of a gap between the end of password and the beginning of users, but that may vary for you due to different architectures, compilers, compiler optimizations, etc. You may need to run this through a debugger or throw in some printf("%p", ...) statements to get the exact addresses of user_name, password and users to know exactly how long to make your bogus user name and password.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Compiling C in Visual Studio 2005
    By emanresu in forum C Programming
    Replies: 3
    Last Post: 11-16-2009, 04:25 AM
  2. Function call from another .c module
    By Ali.B in forum C Programming
    Replies: 14
    Last Post: 08-03-2009, 11:45 AM
  3. Fucntion returns -1, Why?
    By Taper in forum C Programming
    Replies: 16
    Last Post: 12-08-2008, 06:30 PM
  4. help with switch statement
    By agentsmith in forum C Programming
    Replies: 11
    Last Post: 08-26-2008, 04:02 PM
  5. Buffer overflow errors
    By EvBladeRunnervE in forum C Programming
    Replies: 2
    Last Post: 03-17-2004, 04:58 PM