How can I get a buffer overflow in a global variable?

StackOverflow https://stackoverflow.com/questions/21348107

Domanda

I'm working on detecting and preventing BOF attacks and I'd like to know, how can I overflow a global struct?

My code:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

struct{
        char name[20];
        char description[10];
} test;


int main(int argc, char **argv){
        if(argc != 2)
                exit(-1);
        *(*(argv+1)+20) = '\x00'; //terminate string after 20 characters

        strcpy(test.name, argv[1]); //no BOF here... stopped at 20
        printf("%s\n", test.name);

        char *desc;
        desc = malloc(10);
        if(!desc){
                printf("Error allocating memory\n");
                exit(-1);
        }
        scanf("%s", desc); //no bounds checking - this is where I BOF
        strcpy(test.description, desc); //copy over 10 characters into 10 char buffer
        printf("%s\n", test.description); //this prints out whatever I type in
        //even thousands of characters, despite it having a buffer of 10 chars
}
È stato utile?

Soluzione

You overflow a global buffer the same way you do any other buffer type; you store more data in it than there are bytes allocated for it. Perhaps the question is "and what damage does that do?", and the answer is the usual: it depends.

Basically, when you overflow a specific global buffer, you write over some other global variables, and what happens next depends on whether the other variable is referenced again, and what it is supposed to hold. It won't, typically, have function return addresses and the like, so it can be more difficult to exploit.

Altri suggerimenti

char *desc = malloc(10);
scanf("%s", desc); //no bounds checking - this is where I BOF
strcpy(test.description, desc); //copy over 10 characters into 10 char buffer

One of the things you will need to address during testing on modern Linux systems are the calls to scanf and strcpy. Modern systems use FORTIFY_SOURCE, and it tries to remediate some classes of buffer overflows.

FORTIFY_SOURCE uses "safer" variants of high risk functions like memcpy and strcpy. The compiler uses the safer variants when it can deduce the destination buffer size. If the copy would exceed the destination buffer size, then the program calls abort().

To disable FORTIFY_SOURCE for your testing, you should compile the program with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top