Search code examples
csecuritybuffer-overflowpenetration-testing

Stack or Heap based Buffer overflow? How to Exploit it?

https://pastebin.com/BEvvTmjc

int auth_flag = 0;
char *password_buffer;
char *dept;
 
password_buffer = (char *) malloc (16);
dept = (char *) malloc(10);
 
 
strcpy(password_buffer, password);

No sure which buffer overflow is it, spend whole day on it 1064 bytes will make it to break, however cannot get the JMP ESP instruction to run the reverse shellcode. Plus more, i also try out the heap based overflow, but couldn't find a way out

POC

Solution

  • Now that I received your comment about the possible string length of your password variable, having a password that is longer than fifteen characters would produce a buffer overflow because the program would attempt to write past the memory allocated to the "password_buffer" variable (sixteen bytes).

    As a test, I wrote this snippet of code which includes your logic.

    #include <stdio.h>
#include <stdlib.h>
#include <string.h>

char password[20];

int main()
{
    int auth_flag = 0;
    char *password_buffer;
    char *dept;

    strcpy(password, "Thisismypassword");

    password_buffer = (char *) malloc (16);
    dept = (char *) malloc(10);

    strcpy(password_buffer, password);

    return 0;
}

    Since the program has a value hard-coded for the variable "password" the compiler was actually able to pick up on the memory overflow and produce a warning; however, your complete program logic might be receiving a string as an input value and would not pick up on that. When I run this program with the "sixteen-character" (and '\0' terminator) value, it causes the buffer overflow condition you are probably getting.

    @Una:~/C_Programs/Console/Heap/bin/Release$ ./Heap 
*** buffer overflow detected ***: terminated
Aborted (core dumped)

    So, you would either need to enlarge the password buffer memory allocation to account for the largest possible password entry or utilize other robust methods to ensure that your work variables and their memory allocation are large enough to accommodate your input.

    Additional notes:

    Per your comment response, I retrieved the code. Indeed, if a password larger than fifteen characters is entered, the program is going to have a buffer overflow.

    @Una:~/C_Programs/Console/Heap/bin/Release$ ./Heap 
Username: Adm1n
Authorised User
Password: RRRRRRRRRRRRRRRRRRR
*** buffer overflow detected ***: terminated
Aborted (core dumped)

    When I revised the memory allocation to be predicated upon the size of the password, the program functioned.

    password_buffer = (char *) malloc ((int)strlen(password) + 1);

    @Una:~/C_Programs/Console/Heap/bin/Release$ ./Heap 
Username: Adm1n
Authorised User
Password: RRRRRRRRRRRRRRRRRR

-=-=-=-=-=-=-=-=-=-=-=-=-=-

Access Denied.

-=-=-=-=-=-=-=-=-=-=-=-=-=-

    Give that a try.