🏳️
The CTF Recipes
  • Introduction
  • Cryptography
    • Introduction
    • General knowledge
      • Encoding
        • Character encoding
          • ASCII
          • Unicode
          • UTF-8
        • Data encoding
          • Base16
          • Base32
          • Base64
      • Maths
        • Modular arithmetic
          • Greatest Common Divisor
          • Fermat's little theorem
          • Quadratic residues
          • Tonelli-Shanks
          • Chinese Remainder Theorem
          • Modular binomial
      • Padding
        • PKCS#7
    • Misc
      • XOR
    • Mono-alphabetic substitution
      • Index of coincidence
      • frequency analysis
      • Well known algorithms
        • 🔴Scytale
        • 🔴ROT
        • 🔴Polybe
        • 🔴Vigenere
        • 🔴Pigpen cipher
        • 🔴Affine cipher
    • Symmetric Cryptography
      • AES
        • Block Encryption procedure
          • Byte Substitution
          • Shift Row
          • Mix Column
          • Add Key
          • Key Expansion / Key Schedule
        • Mode of Operation
          • ECB
            • Block shuffling
              • Challenge example
            • ECB Oracle
              • Challenge example
          • CBC
            • Bit flipping
              • Challenge example
            • Padding oracle
              • Challenge example
          • OFB
            • Key stream reconstruction
            • Encrypt to Uncrypt
  • 🛠️Pwn
    • General knowledge
      • STACK
        • Variables storage
        • Stack frame
      • PLT and GOT
      • HEAP
        • HEAP operations
        • Chunk
        • Bins
        • Chunk allocation and reallocation
      • Syscall
    • Architectures
      • aarch32
        • Registers
        • Instruction set
        • Calling convention
      • aarch64
        • Registers
        • Instruction set
        • Calling convention
      • mips32
        • Registers
        • Instruction set
        • Calling convention
      • mips64
        • Registers
        • Instruction set
        • Calling convention
      • x86 / x64
        • Registers
        • Instruction set
        • Calling convention
    • Stack exploitation
      • Stack Buffer Overflow
        • Dangerous functions
          • gets
          • memcpy
          • sprintf
          • strcat
          • strcpy
        • Basics
          • Challenge example
        • Instruction pointer Overwrite
          • Challenge example
        • De Bruijn Sequences
        • Stack reading
          • Challenge example
      • Format string
        • Dangerous functions
          • printf
          • fprintf
        • Placeholder
        • Data Leak
          • Challenge example
        • Data modification
          • Challenge example
      • Arbitrary code execution
        • Shellcode
        • ret2reg
        • Code reuse attack
          • Ret2plt
          • Ret2dlresolve
          • GOT Overwrite
          • Ret2LibC
          • Leaking LibC
          • Ret2csu
          • Return Oriented Programming - ROP
          • Sigreturn Oriented Programming - SROP
          • Blind Return Oriented Programming - BROP
            • Challenge example
          • 🔴Call Oriented Programming - COP
          • 🔴Jump Oriented Programming - JOP
          • One gadget
        • Stack pivoting
    • 🛠️Heap exploitation
      • Heap overflow
        • Challenge example
      • Use after free
        • Challenge example
      • 🛠️Double free
      • 🔴Unlink exploit
    • Protections
      • Stack Canaries
      • No eXecute
      • PIE
      • ASLR
      • RELRO
    • Integer overflow
Powered by GitBook
On this page
  • Prototype
  • Vulnerable example
  • Prevent
  1. Pwn
  2. Stack exploitation
  3. Stack Buffer Overflow
  4. Dangerous functions

strcpy

Prototype 

char * strcpy(char * dest, const char * src)

This function copies the string pointed to by src (including the terminating null character) to the array pointed to by dest. The dest array must be large enough to hold the entire string, including the terminating null character.

Vulnerable example

#include <string.h>

int main(int argc, char* argv[])
{
    char buffer[10];
    strcpy(buffer, argv[1]);
    return 0;
}

In this example, the buffer array is defined with a size of 10 bytes, but the strcpy function is used to copy the first command-line argument (which is passed to the program as argv[1]) into the buffer without checking the length of the argument. If the first command-line argument is longer than 10 bytes, strcpy will write beyond the bounds of the buffer array, potentially causing a buffer overflow.

Prevent

To prevent this vulnerability use the strlcpy function instead of strcpy. strlcpy is similar to strcpy, but it takes an additional argument that specifies the maximum number of characters to copy and ensure that the destination string is always null-terminated. This ensure that strlcpy does not write beyond the bounds of the destination buffer.

#include <string.h>

int main(int argc, char* argv[])
{
    char buffer[10];
    strlcpy(buffer, argv[1], sizeof(buffer));
    return 0;
}

In this example, the strlcpy function copies at most sizeof(buffer) - 1 characters from argv[1] to buffer.

It is also a good idea to check the length of argv[1] before calling strlcpy, to ensure that it is not longer than sizeof(buffer) - 1 characters. This can help to prevent a buffer overflow if the user passes a very long command-line argument to the program.

#include <string.h>

int main(int argc, char* argv[])
{
    char buffer[10];
    if (strlen(argv[1]) >= sizeof(buffer))
    {
        // Handle error - argv[1] is too long
    }
    else
    {
        strlcpy(buffer, argv[1], sizeof(buffer));
    }
    return 0;
}
PreviousstrcatNextBasics

Last updated 2 years ago

🛠️