-2

I am learning C and decided to play around with the code. I can figure out the password as it has a bug in my code by writing any character but at 108 character writing the letter K which overwrite tha trigger variable and I can print the message inside. I was wondering is there a way to do the same printing the message inside by changing the return address in my code? If any more details are needed please let me know.

My code:

#include <stdio.h>
 
char getdata() {
  int trigger = 'A';
  char data[100];
  gets(data);
  return (char) trigger;
}
void login() {
  printf("inside!\n");
  exit(0);
}
void main() {
  printf("enter ");
  if (getdata() == 'K') {
    login();
  } else {
    printf("wrong.\n");
    exit(1);
  }
}

I want the output to be: When user enter some password could be anything it should print inside and that should even work while I have Address Space Layout Randomisation on.

  • @Inian Sorry that was a typo. I have edited my code. –  Sep 25 '20 at 11:56
  • Don't use `gets()` function! See [Why is the gets function so dangerous that it should not be used?](https://stackoverflow.com/q/1694036/5291015) – Inian Sep 25 '20 at 11:56
  • what do you want, to read a char or a string ? – bruno Sep 25 '20 at 11:57
  • @bruno I want to be able to print the message `inside` by changing the return address, so it does not matter I guess if its a string or char. –  Sep 25 '20 at 11:58
  • 1
    [Edit] your question and add an example of input, as well as the actual and the expected output. – Jabberwocky Sep 25 '20 at 11:59
  • @Sky currently *getdata* always return 'A' => `(getdata() == 'K')` is always false and you cannot call *inside* – bruno Sep 25 '20 at 11:59
  • @bruno Yeah, I know that so is there a way to make it work by changing the return address? –  Sep 25 '20 at 12:00
  • what about to have `char getdata() { return getchar(); }` ? or directely to replace call to *getdata* by *getchar* ? The problem is not the return *adress* by *value* – bruno Sep 25 '20 at 12:01
  • @bruno If I do that can I print the message `inside`? If so could you explain a bit more please –  Sep 25 '20 at 12:01
  • @Sky just replace the definition, compile then run your program an enter K – bruno Sep 25 '20 at 12:02
  • @Sky look at my answer – bruno Sep 25 '20 at 12:06
  • @bruno If I do that and enter K it prints nothing and if I press enter again it prints `wrong` rather `inside` –  Sep 25 '20 at 12:07
  • @Sky again look at my answer ;-) – bruno Sep 25 '20 at 12:07

1 Answers1

1

if I well understand you want something like that :

#include <stdio.h>
#include <stdlib.h>
 
char getdata() {
  return getchar();
}
void login() {
  printf("inside!\n");
  exit(0);
}
int main() {  // warning main returns an int, not void
  printf("enter ");
  if (getdata() == 'K') {
    login();
  } else {
    printf("wrong.\n");
    exit(1);
  }
  
  return 0;
}

Compilation and execution:

/tmp % gcc -Wall c.c
/tmp % ./a.out
enter K
inside!
/tmp % ./a.out
enter s
wrong.
/tmp %

(in the first case I enter K<return> and in the second s<return>, but whatever the character(s) entered after the first character because they are not read)

bruno
  • 32,421
  • 7
  • 25
  • 37
  • Yes, it works. But, is it possible to change return address but still keep the rest of the code inside `getdata()` so not changing a lot except return address? –  Sep 25 '20 at 12:10
  • since the beginning I do not understand what you mean by `return address`, please can you explain ? – bruno Sep 25 '20 at 12:11
  • I mean I need to make the same code work while the ASLR is on as well. Do you think this will work? –  Sep 25 '20 at 12:11
  • @Sky *ASLR* ? what is that – bruno Sep 25 '20 at 12:12
  • 1
    It is Address Space Layout Randomisation –  Sep 25 '20 at 12:13
  • @Sky again and again **address of what ?** – bruno Sep 25 '20 at 12:13
  • By address I meant `return address of getdata()` –  Sep 25 '20 at 12:15
  • *getdata* is declared to return a *char*, it does not return an address. I already asked you to know if you want to read char or a string ... – bruno Sep 25 '20 at 12:15
  • What do you think would be considered return address in all of my code then? I am new to C so not sure. –  Sep 25 '20 at 12:16
  • what you say have no sense, you can get/return the address of a function/variable but not *all the code*, and what for ? you are very unclear – bruno Sep 25 '20 at 12:17
  • Sorry, all I meant is to make it print `inside` by changing the return address. If a function can get/return the address then there is only one function we can change which is `getdata()`, so I meant that. –  Sep 25 '20 at 12:19