1

I found one interesting exercises on the net, it states that the specific input can overflow the buffer in such a way that the 'secret' will be printed to stdout.

I tried to figure it out by my self but I haven't done well.

Here is the code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void get_name(char *name, char *pr) {
    char local[20];
    printf("%s:",pr);
    gets(local);// BUG
    strncat(name,local,20);
}
int foo () {
    char name[28]="Hello..";
    char secret[12]="TOP SECRET";
    char buf[24];
    char n1[]="Enter your name";
    char n2[]="Enter Secret code"; 
    get_name(name,n1);
    memset(buf, 0, sizeof(buf));
    // Lets ONLY use strncpy for better control!!! 
    strncpy(buf, name, sizeof(buf));//BUG 
    printf("%s\n", buf); 
    memset(name,0,sizeof(name));
    get_name(name, n2);
    if (strncmp(secret,name,10)==0)
        printf("Welcome and %s\n",buf);
    else {printf("Wrong code, better try again..\n");}
    return 0;
}


int main(int argc, char **argv)
{
    foo();
    printf("Bye\n");
    return 0;
}
Improve this question
1
  • 1
    I think the compilation line is missing, usually they write a comment like this : // gcc -o -m32 buffer_overflow buffer_overflow.c -fno-stack-protector on this kind of exercise. You need it (especially -m32 and -fno-stack-protector) in order to achieved this challenge. Commented Oct 13, 2016 at 10:37

1 Answer 1

Reset to default
1

There is no way to know what the outcome of such buffer overflows will do. You can't know or assume what memory they will overwrite. Most likely they will only cause some sort of run-time crash. Any exploit would have to have a very specific system in mind. Which means that nobody would be able to answer your question without knowing the details of a given system.

What your "random internet person" is aiming for, is likely to overwrite the null termination of Hello.. with some garbage, so that the "TOP SECRET" string will get printed along with it. You can't assume that those two strings are allocated adjacently, however. You could try to type 28 letter long input to gets and see what happens... there are no guarantees of any given behavior. On my computer it does nothing exciting apart from printing some garbage. Reverse-engineering of my binary reveals that that's because the arrays are indeed not allocated adjacently.

In addition, your comments about strncpy are misguided, strncpy is dangerous and should be avoided, see this.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

this comments aren't mine,they were provided together with the exercise
@ro.Loon The person who wrote the exercise seem to lack in-depth knowledge about C.
You seem to be answer different question that what is being asked. For example, use of strncpy in this code seems 100% intentional, and not one bit misguided (for the purpose of the code and the exercise).
@hyde The remark about strncpy is a side-note. But the use of that function is always misguided, see the link. The correct use here would have been to use memcpy, since nothing in this code seems to be related to fixed-width Unix string formats from the early 1970s.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.