1
#include <stdio.h>

int num1;
int num2;
int res;

static int add(void) {
    res = num1 + num2;
    printf("\nAnswer: %u", res);
}

static int sub(void) {
    res = num1 - num2;
    printf("\nAnswer: %u", res);
}

static int mal(void) {
    res = num1 * num2;
    printf("\nAnswer: %u", res);
}

static int div(void) {
    res = num1 / num2;
    printf("\nAnswer: %u", res);
}

void do_operator() {

    char op[1];

    printf("Enter an operator (+, -, *, /):");
    scanf("%s", &op);

    if (*op == '+')
    {
        add();
    }
    else if (*op == '*')
    {
        mal();
    }
    else if (*op == '-')
    {
        sub();
    }
    else if (*op == '/')
    {
        div();
    }
    else
    {
        printf("\nNo valid input: %s", op);
    }
}

int main() {
    printf("\nEnter number-1:");
    scanf("%u", &num1);
    
    printf("\nEnter number-2:");
    scanf("%u", &num2);
    
    do_operator();
    return 0;
}

Hey, I’m new to buffer overflow exploits. I’m trying to run this code and when giving input instead of the addition function running + run the multiplication function \* using buffer overflow. I have tried multiple different but non prevailed

Buffer overflow exploit the give code to execute multiplication function \* but the operator given is addition function +

chqrlie
  • 131,814
  • 10
  • 121
  • 189
Mr.Deadpool
  • 21
  • 1
  • `scanf("%s", &op);` says read a string and write it to `op`. A string has at least 1 readable character and the NUL terminator at the end, e.g., 2 characters. `op` has only space for 1. Why don't you just use `char op; scanf(" %c", &op);`? `%c` reads one character, which is what you want. – mch Jan 26 '23 at 08:53
  • `scanf("%s", &op);` is your target to overflow. `"%s"` without a *field-width* modifier will attempt to write as many characters to the address of `op` as you enter, overflowing as soon as you exceed the storage of `op`. (which is why filling a string with `"%s"` is no safer than using `gets()`) See. [Why gets() is so dangerous it should never be used!](https://stackoverflow.com/q/1694036/3422102) So you have your target -- now you need to know how many bytes you need to overflow to get to `mal()`. – David C. Rankin Jan 26 '23 at 09:09
  • You also need to fix your conversion specifier types (e.g. `"%u"` to `"%d"` or type type from `int` to `unsigned`. You need to either change your function types to `void` or add `return res;`. – David C. Rankin Jan 26 '23 at 09:19
  • See [How to do string buffter overflow with scanf function?](https://security.stackexchange.com/q/244249) – David C. Rankin Jan 26 '23 at 09:27

1 Answers1

0

The code has undefined behavior for multiple reasons:

  • you do not test the return values of scanf(), so invalid input will not be detected.

  • the functions add, sub, mal, div are defined to return an int value but the code does not have return statements.

  • you pass a 1 byte array for %s which will cause a buffer overflow unless at end of file. Furthermore, &op does not have the expected type for %s. A more reliable way to input the operation is

      if (scanf(" %c", op) == 1) {
      /* operation was read as a single character */
  } else {
      /* unexpected end of file or input error */
  }

It is very difficult to exploit these flaws to make the code call mal() instead of add(), but here is an example where invalid input will appear to use multiplication instead of addition:

Enter number-1:0+ 1

Enter number-2:Enter an operator (+, -, *, /):
Answer: 0
chqrlie
  • 131,814
  • 10
  • 121
  • 189
  • How would `0+ 1` make `0` and `1` appear in their respective variable though? Aren't you actually doing `0` -> num1, `+` -> oops scanf fails, `num2` remains untouched (zero). 0 + 0 = 0. – Lundin Jan 26 '23 at 10:37
  • @Lundin: yes, your analysis is correct, the second `scanf("%u", &num2);` will fail, return `0` and leave `num2` unchanged, hence still zero as `num2` is an uninitialized global variable thereby initialized to zero in its type. The third `scanf` will read the `+` and store a null terminator beyond the end of the `op` array (undefined behavior ignored for the purpose of this example). The function `add` will be called and perform `0 + 0` producing and printing `0`. – chqrlie Jan 26 '23 at 11:05