Code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define salt "AAAAA"
#define name1 "Alice"
#define pass1 "Alice123"
#define name2 "Bob"
#define pass2 "Bob12345"
#define name3 "Chris"
#define pass3 "Chris123"
void foo(const char* input)
{
char buf[10];
printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
//Pass the user input straight to secure code public enemy #1.
strcpy(buf, input);
printf("%s\n", buf);
printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}
int update(int money)
{
money=money+2000;
printf("Augh! I've been hacked!\n");
return money;
}
int main(int argc, char *argv[])
{ char * name;
char * pass;
int money1=1234;
int money2=2533;
int money3=4567;
printf("Address of foo is: %p\n", foo);
printf("Address of update is: %p\n", update);
if(argc != 3)
{ printf("Usage: Your_Username Your_Password\n");
exit(1);
}
name=argv[1];
pass=argv[2];
if(strcmp(name,name1) == 0 && strcmp(pass,pass1) == 0)
{
printf("Welcome Alisa, Your balance is: $ %i", money1);
foo(argv[2]);
}
else if(strcmp(name,name2) == 0 && strcmp(pass,pass2) == 0)
{
printf("Welcome Bob, Your balance is: $ %i", money2);
foo(argv[2]);
}
else if(strcmp(name,name3) == 0 && strcmp(pass,pass3) == 0)
{
printf("Welcome Chris, Your balance is: $ %i", money3);
foo (argv[2]);
}
else
{
printf("Wrong username and password");
}
return 0;
}
That is the code i have, now i want to cause a buffer overrun. The buffer overrun is caused by misuse of a password input and can be exploited by manipulating a password input
Let's assume that everyone have 8 characters of password. A malicious customer could enter oversized password to invoke the update function in an attack.
Before that, a user have to enter their username and password to access the program.
StoredSalt+StoredPassword == StoredSalt+EnteredPassword.
I want to use strcat. A concatenation of a password and a salt code in arrays could cause a buffer overrun.
I have no idea how to do that. Can anyone help me. And is there any ways to prevent buffer overrun?