I can't understand what really happen with 'buf1' and 'pass' in main () program. I understand that after buffer overflow in gets(buf1):
- Firstly (by input more then 15 characters), we are actually changing calling frame for calling function main ();
- Secondly (if keep input more then 19 characters),then we will start change return address of calling function main ().
But why after 16 character in gets (buf1) ('1234567890123456') we get pass equal 54 (which is ASCII code for '6'). We do not overflow 'pass' variable so why we get this pass=54?
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
#include <stdlib.h>
int CommandInjection(char *varCommand)
{
char cat[] = "cat ";
char *command;
size_t commandLength;
commandLength = strlen(cat) + strlen(varCommand) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, varCommand, (commandLength - strlen(cat)) );
system(command); //The function system is executed with the input entered by the user. The input can be dangerous.
return (0);
}
int main(void)
{
char buf1[15];
char varCommand[30];
bool pass = 0;
printf("\nEnter the password: \n(If you enter more than 15 characters you can break the security)\n");
gets(buf1); //Function that does not make bound checking
if(strcmp(buf1, "thepassword"))
{
printf ("\nWrong Password\n PASS=%d", pass);
if(pass==true)
printf ("\nHowever, there was memory corruption and you can enter to other part of the program\n pass=%d", pass);
}
else
{
printf ("\nCorrect Password\n");
pass = true;
}
if(pass==true)
{
// Don't must enter here if the password is wrong
printf ("\nEnter the file name (for example: text.txt; ls -l)\n");
gets(varCommand); //There is no input validation
CommandInjection(varCommand);
}
return 0;
}
Aucun commentaire:
Enregistrer un commentaire