c - Trying to exploit int overflow -
here source code using: (the full code can found here: http://pastebin.com/apfj4jyb
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <errno.h> #include <signal.h> #include <netinet/in.h> #include <sys/wait.h> #define alarm_timeout_sec (1200) #define password_length (100) #define brute_force_timeout (1) int is_correct(char * given_password_hex) { char b2h[256] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1, /* 0-9 */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* a-f */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* a-f */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; char password[50] = "0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmn"; char given_password[50]; char value1; char value2; int i; char diff = 0; size_t given_password_hex_length = strlen(given_password_hex); if (password_length != given_password_hex_length) { printf("bad input1: %zu\n", given_password_hex_length); return 0; } bzero(given_password, sizeof(given_password)); (i = 0; < sizeof(given_password); i++) { // *********here place try exploit******* value1 = b2h[given_password_hex[i * 2]]; value2 = b2h[given_password_hex[i * 2 + 1]]; printf("%d- %d %x %d - %d %x\n", * 2, * 2+1,given_password_hex[i * 2], given_password_hex[i * 2], given_password_hex[i * 2 + 1], given_password_hex[i * 2 + 1]); if (value1 == -1 || value2 == -1) { printf("bad input2\n"); return 0; } given_password[i] = (value1 << 4) | value2; printf("%s\n",given_password); } printf("%s\n\n\n\n\n\n\n",given_password); (i = 0; < 50; i++) { diff |= (password[i] ^ given_password[i]); } printf("%s\n",given_password); printf("%s",password); return (diff == 0); } void right_trim(char * str) { char * t = str + strlen(str) - 1; char * p; (p = t; p >= str; p--) { if (!strchr(" \r\n", *p)) { break; } *p = '\0'; } } void handle(int s) { char inbuf[4096]; dup2(s, 0); dup2(s, 1); setbuf(stdout, null); alarm(alarm_timeout_sec); printf("crackme> "); if (null == fgets(inbuf, sizeof(inbuf), stdin)) { return; } right_trim(inbuf); if(is_correct(inbuf)) { printf("good job!\n"); } } void handle_sigchld(int sig) { waitpid((pid_t) (-1), 0, wnohang); } int main(int argc, char * argv[]) { printf("we in"); if (1 == argc) { printf("usage: %s <port>\n", argv[0]); printf("section 1"); exit(-0); } int port = strtol(argv[1], null, 10); if (0 == port) { printf("section 2"); perror("invalid port"); exit(-1); } struct sigaction sa; sa.sa_handler = &handle_sigchld; sigemptyset(&sa.sa_mask); sa.sa_flags = sa_restart | sa_nocldstop; if (sigaction(sigchld, &sa, 0) == -1) { perror("unable register sigaction"); exit(-2); } int s = socket(af_inet, sock_stream, 0); if (-1 == s) { perror("unable create server socket"); exit(-3); } int optval = 1; if (0 != setsockopt(s, sol_socket, so_reuseaddr, &optval, sizeof(optval))) { perror("unable setsockopt"); exit(-4); } struct sockaddr_in bind_addr = { .sin_family = af_inet, .sin_port = htons(port) }; if (0 != bind(s, (struct sockaddr *) &bind_addr, sizeof(bind_addr))) { perror("unable bind socket"); printf("section 3"); exit(-5); } if (0 != listen(s, 10)) { perror("unable listen"); exit(-6); } while (1) { int s_ = accept(s, null, null); sleep(brute_force_timeout); if (-1 == s_) { perror("unable accept"); continue; } pid_t child_pid = fork(); if (-1 == child_pid) { perror("unable fork"); goto accept_cleanup; } if (0 == child_pid) { close(s); handle(s_); exit(0); } accept_cleanup: close(s_); } exit(0); } since control input can resize array pointer enters , can make exceptions memory
now problem: i'm trying boy without knowing password. so, put following string cause system retrieve password memory me
"ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñ" even though included input correct sized characters, did not password. instead, first part of , mixed. here's back:
"0123456789qrstuvwxyz{|}pqrstuvwxyzqrstuvwxyz{|}~" (instead : "0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmn") this password looked in memory @ runtime:
0x7fffffffd840: 0x33323130 0x37363534 0x62613938 0x66656463 0x7fffffffd850: 0x6a696867 0x6e6d6c6b 0x7271706f 0x76757473 0x7fffffffd860: 0x7a797877 0x44434241 0x48474645 0x4c4b4a49 0x7fffffffd870: 0x1c934e4d 0x00000000 0x00400643 0x00000000 0x7fffffffd880: 0xffffffff 0x00000000 0x0000c1ff 0x00000405 (notice endian)
this location of password in memory :
0x7fffffffd840 this location of b2h in memory:
0x7fffffffd8c0 why happening? how can fix this?
Comments
Post a Comment