1

I found one interesting exercises on the net, it states that the specific input can overflow the buffer in such a way that the 'secret' will be printed to stdout.

I tried to figure it out by my self but I haven't done well.

Here is the code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void get_name(char *name, char *pr) {
    char local[20];
    printf("%s:",pr);
    gets(local);// BUG
    strncat(name,local,20);
}
int foo () {
    char name[28]="Hello..";
    char secret[12]="TOP SECRET";
    char buf[24];
    char n1[]="Enter your name";
    char n2[]="Enter Secret code"; 
    get_name(name,n1);
    memset(buf, 0, sizeof(buf));
    // Lets ONLY use strncpy for better control!!! 
    strncpy(buf, name, sizeof(buf));//BUG 
    printf("%s\n", buf); 
    memset(name,0,sizeof(name));
    get_name(name, n2);
    if (strncmp(secret,name,10)==0)
        printf("Welcome and %s\n",buf);
    else {printf("Wrong code, better try again..\n");}
    return 0;
}


int main(int argc, char **argv)
{
    foo();
    printf("Bye\n");
    return 0;
}
Axel Isouard
  • 1,498
  • 1
  • 24
  • 38
ro.Loon
  • 11
  • 3
  • 1
    I think the compilation line is missing, usually they write a comment like this : `// gcc -o -m32 buffer_overflow buffer_overflow.c -fno-stack-protector` on this kind of exercise. You need it (especially `-m32` and `-fno-stack-protector`) in order to achieved this challenge. – plean Oct 13 '16 at 10:37

1 Answers1

1

There is no way to know what the outcome of such buffer overflows will do. You can't know or assume what memory they will overwrite. Most likely they will only cause some sort of run-time crash. Any exploit would have to have a very specific system in mind. Which means that nobody would be able to answer your question without knowing the details of a given system.

What your "random internet person" is aiming for, is likely to overwrite the null termination of Hello.. with some garbage, so that the "TOP SECRET" string will get printed along with it. You can't assume that those two strings are allocated adjacently, however. You could try to type 28 letter long input to gets and see what happens... there are no guarantees of any given behavior. On my computer it does nothing exciting apart from printing some garbage. Reverse-engineering of my binary reveals that that's because the arrays are indeed not allocated adjacently.

In addition, your comments about strncpy are misguided, strncpy is dangerous and should be avoided, see this.

Community
  • 1
  • 1
Lundin
  • 195,001
  • 40
  • 254
  • 396
  • 1
    this comments aren't mine,they were provided together with the exercise – ro.Loon Oct 13 '16 at 09:54
  • 1
    @ro.Loon The person who wrote the exercise seem to lack in-depth knowledge about C. – Lundin Oct 13 '16 at 09:56
  • 2
    You seem to be answer different question that what is being asked. For example, use of `strncpy` in this code seems 100% intentional, and not one bit misguided (for the purpose of the code and the exercise). – hyde Oct 13 '16 at 10:56
  • @hyde The remark about strncpy is a side-note. But the use of that function is _always_ misguided, see the link. The correct use here would have been to use memcpy, since nothing in this code seems to be related to fixed-width Unix string formats from the early 1970s. – Lundin Oct 13 '16 at 13:24