473,325 Members | 2,608 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

FILO and why it is not working in properly in VBox

so i have to versions of the stated code. in the first version, the variable "auth_flag" that holds the value from a authentication check is typed before the variable "password_buffer" that hold the password entered from the cmdLine. according to filo, the compiler read in "auth_flag" first and stored into the stack frame. then the "password_buffer" is read in and stored before "auth_flag". so "password_buffer" is stored before "auth_flag" in the stack frame. to be exact, "password_buffer" is 28 bytes before "auth_flag". so when i write 29 bytes (29 char's) into the cmdLine, this value gets stored into "password_buffer". which then overflows in "auth_flag". allowing access even tho the input was not the 2 acceptable passwords. so when i swap the "auth_flag" with "password_buffer" in the second version of the code, it should also swap in the stack frame. "auth_flag" should be before "password_buffer" in the stack frame. which would then not allow me to preform this type of overflow attack. but when i check the stack "auth_flag" still appears after "password_buffer". this is the issue i am having. im running kali in a Vbox, which is running gcc version 4.9.2 (Debian 4.9.2-10).

Expand|Select|Wrap|Line Numbers
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <string.h>
  4.  
  5. int check_authentication(char *password) {
  6.         int auth_flag = 0;
  7.         char password_buffer[16];
  8.  
  9.         strcpy(password_buffer, password);
  10.  
  11.         if(strcmp(password_buffer, "brillig") == 0)
  12.                 auth_flag = 1;
  13.         if(strcmp(password_buffer, "outgrabe") == 0)
  14.                 auth_flag = 1;
  15.  
  16.         return auth_flag;
  17. }
  18.  
  19. int main(int argc, char *argv[]) {
  20.         if(argc < 2) {
  21.                 printf("Usage: %s <password>\n", argv[0]);
  22.                 exit(0);
  23.         }
  24.         if(check_authentication(argv[1])) {
  25.                 printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
  26.                 printf("      Access Granted.\n");
  27.                 printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
  28.         } else {
  29.                 printf("\nAccess Denied.\n");
  30.    }
  31. }
  32.  
  33.  
Attached Images
File Type: jpg overflow_S1.jpg (35.8 KB, 80 views)
File Type: jpg overflow_S2.jpg (42.1 KB, 88 views)
File Type: jpg overflow_S3.jpg (39.3 KB, 94 views)
File Type: jpg overflow2_S1.jpg (35.9 KB, 88 views)
File Type: jpg overflow2_S2.jpg (41.8 KB, 97 views)
Feb 6 '16 #1
6 1291
weaknessforcats
9,208 Expert Mod 8TB
I'm not quite sure I understand your problem. However, in your main() when access is denied the process follows the same flow as when access is granted. But then I'm not sure this is the complete main.

The .jpg files are not readable.

Please post again with info that I can read.
Feb 6 '16 #2
donbock
2,426 Expert 2GB
Not sure I understand. Are you concerned that the order of variable storage in memory doesn't match the order of variable definitions in the source code? If so, the answer is simple: the C Standard imposes no such obligation on compiler implementations. The order of variable storage is determined by the designer of each compiler implementation.

If you must control the order of variables in memory, then express the variables as fields within a structure. The Standard does require structure fields to be allocated in the same order that they are defined. However, there may be pad bytes between successive structure fields.
Feb 6 '16 #3
so i have to versions of the stated code. in the first version, the variable "auth_flag" that holds the value from a authentication check is typed before the variable "password_buffer" that hold the password entered from the cmdLine. according to filo, the compiler read in "auth_flag" first and stored into the stack frame. then the "password_buffer" is read in and stored before "auth_flag". so "password_buffer" is stored before "auth_flag" in the stack frame. to be exact, "password_buffer" is 28 bytes before "auth_flag". so when i write 29 bytes (29 char's) into the cmdLine, this value gets stored into "password_buffer". which then overflows in "auth_flag". allowing access even tho the input was not the 2 acceptable passwords. so when i swap the "auth_flag" with "password_buffer" in the second version of the code, it should also swap in the stack frame. "auth_flag" should be before "password_buffer" in the stack frame. which would then not allow me to preform this type of overflow attack. but when i check the stack "auth_flag" still appears after "password_buffer". this is the issue i am having. im running kali in a Vbox, which is running gcc version 4.9.2 (Debian 4.9.2-10).
Feb 6 '16 #4
im sure no one will do this, but if you save the images you can view them fine. im having trouble resizing without affecting the image itself
Feb 6 '16 #5
weaknessforcats
9,208 Expert Mod 8TB
Just remember that there are no stacks in C. Stacks are implementation designs therefore, your results will vary based on the compiler you use.
Feb 6 '16 #6
donbock
2,426 Expert 2GB
As I said earlier, you cannot control where the compiler chooses to put variables in memory.

The solution to a buffer overflow is to stop overflowing the buffer, not to make the overflow tolerable. You know how big the buffer is - don't allow any more characters than that.

You could use strncpy instead of strcpy on line 9.
On the other hand, why are you copying the password at all? Why not strcmp password itself?
Feb 7 '16 #7

Sign in to post your reply or Sign up for a free account.

Similar topics

8
by: weasel | last post by:
Why is the Farenheit to Celsius part not working properly? Instead of showing a similar range of what the farenheit is listing, the celsius portion is showing half the range of farenheit. print...
1
by: Roberto Castro | last post by:
I have some problems with the way I am showing the BLOB fields in the Image web controls. It does work on my localhost though sometimes I need to hit Refresh for the images to load properly....
5
by: Nita Raju | last post by:
Hi, I have to validate a textbox for date without using the validation controls. So i had to use IsDate(). It's not working properly when i give "11//2004". When i enter the above date it...
2
by: Annu | last post by:
Hi I need help on <enbed> tag. Following code(No 1) is working properly on windows but on linux code no.2 is not working Code No 1: <EMBED type='application/x-mplayer2' ...
12
kamill
by: kamill | last post by:
I have done a logout page for logout from admin section and provides a link to logout from admin section.Whenever i clicked on logout link it redirected to index.php of admin section......BUT when i...
5
by: damezumari | last post by:
When a user logs in to my site http://iwantyourquestion.com I set $_SESSION to true if his username and password are OK. When he calls a page I check if $_SESSION is true. If it not I ask him to...
3
by: rajasree | last post by:
Hi all, am doing a project in PHP. my javascript code is working properly in ie. But its not working in firefox. Please help me my code is as follows; <script language="javascript"...
4
by: zairali | last post by:
Hi, I am trying to fix a webpage ( http://www.d.umn.edu/itss/labs/maps/ ) which uses some html (or xml also?) to show pop ups when you rollover the numbers on a map of the building. They work fine...
8
by: neovantage | last post by:
Hey all, Website page is not working properly in IE6 and IE7 but working normal in firefox. Can somebody tell me how i can fixed that problem. Here is the url of the page http://www.ragehockey.biz/...
1
by: Jiwei06xie | last post by:
Hi, I have a main form with 3 subforms and some combo boxes. It is working fine as an independent form. However, when I draged into a tabcontrol page, two off the combo boxes stopped working...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.