我正在尝试编写一个非常简单的程序,强调如何使用缓冲区溢出漏洞来绕过受密码保护的系统。代码如下:
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
char tempbuff[15];
int pass = 0;
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
//strcpy("%s",buff);
printf("\n Enter your password : \n");
gets(tempbuff);
//strcpy("%s",tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
{
/* Now Give root or admin rights to user*/
printf ("\n Root privileges given to the user \n");
}
return 0;
}
本质上,当我第二次被要求输入密码时,我试图通过输入一个大于 15 个字符的字符串来将 pass 变量的值从 0 更改为 1。但是,到目前为止我还不能这样做。任何帮助将不胜感激!
最佳答案
只需更改您的代码,我就能够在 OS X 中利用您的程序。那就是在tempbuff之前定义pass。在 tempbuff 之前声明 pass 意味着 pass 被放置在堆栈上的 tempbuff 之后,因此溢出 tempbuff 将覆盖 pass。我能够在 lldb(或 gdb)中检查 pass 和 tempbuff 的地址。
我还使用 -fno-stack-protector 选项编译了它。
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
int pass = 0;
char tempbuff[15];
printf("\n Enter a password of length between 1 and 15 characters : \n");
gets(buff);
printf("\n Enter your password : \n");
gets(tempbuff);
if(strcmp(tempbuff, buff))
{
printf ("\n Wrong Password \n");
}
else
{
printf ("\n Correct Password \n");
pass = 1;
}
if(pass)
printf ("\n Root privileges given to the user \n");
return 0;
}
编译:gcc -Wall -Wextra -O0 -g -fno-stack-protector buf.c -o buf
这是输入序列:
safepassword
1234567890123456
这是输出:
$ ./buf < over
Enter a password of length between 1 and 15 characters :
warning: this program uses gets(), which is unsafe.
Enter your password :
Wrong Password
Root privileges given to the user
关于c - 简单的缓冲区溢出漏洞利用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33558841/