0
#include <stdio.h>

char user_name[20] = "                   ";
char password[20] = "                   ";
char users[][2][20] =
{ { "root", "98765" },
  { "me", "hello" },
  { "abc", "password" },
  { "", "" }
};

int check_name()
{
  int i;
  gets(user_name);
  gets(password);

  for(i=0; users[i][0][0] != 0; i++)
  {
    if(strcmp(user_name, users[i][0]) == 0 &&
       strcmp(password,  users[i][1]) == 0)
       return 1;
  }
  return 0;
}

void logon()
{
  printf("Welcome! \n");
  exit(1);
}

void reject()
{
  printf("Connection closed !\n");
  printf("Real username: \n");
  printf(users[0][0]);
  printf("\n");
  printf("Real password: \n");
  printf(users[0][1]);
  printf("\n");
  exit(0);
}

main()
{
  if(check_name())
    logon();
  else
    reject();
}

Hey guys, I kind of understand the theory behind buffer overflow, but I can't seem to make it work here.

Note that I added extra printf to output real username and password to see how much I overwrote in memory.

I tried writing a random letter x.

First I did: username = 20 xs, password = 60 xs, the output was:

Real user:                                                                                                                                                                                  
xxxxxxxxxxxxxxxxxxxxxxxxxxxx                    // 28 x's                                                                                                                                                              
Real pass:                                                                                                                                                                                  
xxxxxxxx                                        // 8 x's

So I added 12 xs to the password to make it the maximal size of 20, so password = 72 xs and the output was:

// with input user = 20 x's and pass = 72 x's

Real user:                                                                                                                                                                                  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx        // 40                                                                                                                                               
Real pass:                                                                                                                                                                                  
xxxxxxxxxxxxxxxxxxxx                            // 20

Ultimately I thought by updating my input username to 40 xs it would work, but it didn't. Output was identical as the last one (40 x's for real user and 20 x's for real password) but still couldn't "hack" it.

I'm not sure what to do at this point. Thanks in advance!

ShomaliParty
  • 11
  • 5

1 Answers1

0

You have to understand what constitutes a string in C. Something like printf will continue to print bytes out of a string until it hits a NULL character. Embedding a string in a program the way you did (foo="barbaz") automatically includes a null character.

A buffer overflow error happens when a program reads a string into a fixed length buffer, but the input is larger than the buffer. For instance, if I have char username[8], but the user inputs supercalifragilisticexpalidocious.

Obviously, the input is larger than the buffer, and if the program allows all the input in, it will continue to overwrite whatever in memory is beyond the username.

In this situation, a clever enough hacker can overwrite the memory in a way that would provide her with access to parts of the program or data she wouldn't normally have access to.

So, to answer your question, because of how you constructed the program using strings completely defined within the compiled part of the code, you cannot have a buffer overflow error.

Try accepting unbounded user input, and then putting more data in than the buffer can accept, to see what happens to the resulting memory blocks.

PaulProgrammer
  • 16,175
  • 4
  • 39
  • 56
  • Nit (technically a *nul-character*) see [ASCII Table and Description](http://www.asciitable.com/), `NULL` is a pointer. – David C. Rankin Nov 13 '20 at 22:31
  • Hi, thanks for answering. The source code is provided to us as a school assignment, I only added the "printf" commands to output the state of the *users* array and see what the "real" username and passwords are. It is, at least according to our assignment, supposed to be "easily crackable" with buffer overflow. As I mentioned, I managed to overwrite the original contents of the "users" array. I'm just stuck playing with how many "x"s I need to input for it to work. – ShomaliParty Nov 13 '20 at 22:35