By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,064 Members | 1,388 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,064 IT Pros & Developers. It's quick & easy.

FILO and why it is not working in properly in VBox

P: 15
so i have to versions of the stated code. in the first version, the variable "auth_flag" that holds the value from a authentication check is typed before the variable "password_buffer" that hold the password entered from the cmdLine. according to filo, the compiler read in "auth_flag" first and stored into the stack frame. then the "password_buffer" is read in and stored before "auth_flag". so "password_buffer" is stored before "auth_flag" in the stack frame. to be exact, "password_buffer" is 28 bytes before "auth_flag". so when i write 29 bytes (29 char's) into the cmdLine, this value gets stored into "password_buffer". which then overflows in "auth_flag". allowing access even tho the input was not the 2 acceptable passwords. so when i swap the "auth_flag" with "password_buffer" in the second version of the code, it should also swap in the stack frame. "auth_flag" should be before "password_buffer" in the stack frame. which would then not allow me to preform this type of overflow attack. but when i check the stack "auth_flag" still appears after "password_buffer". this is the issue i am having. im running kali in a Vbox, which is running gcc version 4.9.2 (Debian 4.9.2-10).

Expand|Select|Wrap|Line Numbers
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <string.h>
  4.  
  5. int check_authentication(char *password) {
  6.         int auth_flag = 0;
  7.         char password_buffer[16];
  8.  
  9.         strcpy(password_buffer, password);
  10.  
  11.         if(strcmp(password_buffer, "brillig") == 0)
  12.                 auth_flag = 1;
  13.         if(strcmp(password_buffer, "outgrabe") == 0)
  14.                 auth_flag = 1;
  15.  
  16.         return auth_flag;
  17. }
  18.  
  19. int main(int argc, char *argv[]) {
  20.         if(argc < 2) {
  21.                 printf("Usage: %s <password>\n", argv[0]);
  22.                 exit(0);
  23.         }
  24.         if(check_authentication(argv[1])) {
  25.                 printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
  26.                 printf("      Access Granted.\n");
  27.                 printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
  28.         } else {
  29.                 printf("\nAccess Denied.\n");
  30.    }
  31. }
  32.  
  33.  
Attached Images
File Type: jpg overflow_S1.jpg (35.8 KB, 53 views)
File Type: jpg overflow_S2.jpg (42.1 KB, 57 views)
File Type: jpg overflow_S3.jpg (39.3 KB, 59 views)
File Type: jpg overflow2_S1.jpg (35.9 KB, 57 views)
File Type: jpg overflow2_S2.jpg (41.8 KB, 71 views)
Feb 6 '16 #1
Share this Question
Share on Google+
6 Replies


weaknessforcats
Expert Mod 5K+
P: 9,197
I'm not quite sure I understand your problem. However, in your main() when access is denied the process follows the same flow as when access is granted. But then I'm not sure this is the complete main.

The .jpg files are not readable.

Please post again with info that I can read.
Feb 6 '16 #2

Expert 100+
P: 2,400
Not sure I understand. Are you concerned that the order of variable storage in memory doesn't match the order of variable definitions in the source code? If so, the answer is simple: the C Standard imposes no such obligation on compiler implementations. The order of variable storage is determined by the designer of each compiler implementation.

If you must control the order of variables in memory, then express the variables as fields within a structure. The Standard does require structure fields to be allocated in the same order that they are defined. However, there may be pad bytes between successive structure fields.
Feb 6 '16 #3

P: 15
so i have to versions of the stated code. in the first version, the variable "auth_flag" that holds the value from a authentication check is typed before the variable "password_buffer" that hold the password entered from the cmdLine. according to filo, the compiler read in "auth_flag" first and stored into the stack frame. then the "password_buffer" is read in and stored before "auth_flag". so "password_buffer" is stored before "auth_flag" in the stack frame. to be exact, "password_buffer" is 28 bytes before "auth_flag". so when i write 29 bytes (29 char's) into the cmdLine, this value gets stored into "password_buffer". which then overflows in "auth_flag". allowing access even tho the input was not the 2 acceptable passwords. so when i swap the "auth_flag" with "password_buffer" in the second version of the code, it should also swap in the stack frame. "auth_flag" should be before "password_buffer" in the stack frame. which would then not allow me to preform this type of overflow attack. but when i check the stack "auth_flag" still appears after "password_buffer". this is the issue i am having. im running kali in a Vbox, which is running gcc version 4.9.2 (Debian 4.9.2-10).
Feb 6 '16 #4

P: 15
im sure no one will do this, but if you save the images you can view them fine. im having trouble resizing without affecting the image itself
Feb 6 '16 #5

weaknessforcats
Expert Mod 5K+
P: 9,197
Just remember that there are no stacks in C. Stacks are implementation designs therefore, your results will vary based on the compiler you use.
Feb 6 '16 #6

Expert 100+
P: 2,400
As I said earlier, you cannot control where the compiler chooses to put variables in memory.

The solution to a buffer overflow is to stop overflowing the buffer, not to make the overflow tolerable. You know how big the buffer is - don't allow any more characters than that.

You could use strncpy instead of strcpy on line 9.
On the other hand, why are you copying the password at all? Why not strcmp password itself?
Feb 7 '16 #7

Post your reply

Sign in to post your reply or Sign up for a free account.