C++ Buffer Overflow Exploit

Dec 5, 2008 Baran Ornarli @ 9:29 pm GMT

When you have a certain amount of bytes allocated for a buffer and someone enters more bytes than you allocated, this is called a buffer overflow or buffer overrun. It is a very serious security threat and many programmers make this mistake, even experienced programmers. You must secure your code, otherwise someone can inject code directly into your system using your program. These C++ security exploits can be used in any language, even on websites.
Remember that the following code should be used for educational purposes and to improve your security in programming.

Vulnerable Password Program

Here is an example of a vulnerable C++ code:

#include <stdio.h>
#include <string.h>

int main(int argc, char**argv){
  int authentication(0);
  char cUsername[10], cPassword[10];
  strcpy(cUsername, argv[1]);
  strcpy(cPassword, argv[2]);
  if(strcmp(cUsername, "admin") == 0 && strcmp(cPassword, "adminpass") == 0){
    authentication = 1;
  }
  if(authentication){
    printf("Access granted");
  } else {
    printf("Wrong username and password");
  }
  return 0;
}

This code (program protected by username and password) can easily be hacked by exploiting the strcpy function using a buffer overflow exploit.

There is an authentication variable which grants us access. Two buffers for username and password which are checked to make sure the correct "admin" and "adminpass" password is entered.

I strcpy (string copy) the argv, or argument variable from command line arguments, and then I check if the right username and password were entered.

Then it prints if the user succeeded or not.

Hacking

I compiled the file using Code::Blocks, as bufferoverflow.cpp, then I went into command prompt, went to the appropriate folder.

Then here is how I interact with the program:

C:\>bufferoverflow admin idontknow
Wrong username and password
C:\>bufferoverflow admin adminpass
Access granted
C:\>bufferoverflow AAAA AAAAA
Wrong username and password
C:\>bufferoverflow AAAAAAAAAAAAAAAAAAAAAAAAAAAA A
Wrong username and password
C:\>bufferoverflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAA A
Access granted

Since, cUsername and cPassword can only take 10 bytes, sending in too many, causes a buffer overflow:
cUsername = AAAAAAAAAA
cPassword = AAAAAAAAAA
authentication = 0x41414141

If you entered, AAAAAAAAA (9 of them), it won't buffer overflow, but if you enter 11 of them, it will "overflow" to the cPassword (the next character array in memory). Even though you are typing to cUsername, it is overwriting cPassword and finally enough As and you overwrite authentication with AAAAAAA causing it to become 0x41414141, instead of 0.

Since I check if authentication is true (or greater than 1 basically), I am granted access.

Secure the C++ Code

To secure it, you need to check lengths of input, and you shouldn't trust the user using your program and assume he won't enter something crazy like AAAAAAAAAAAAAAAAAAAAAAAAAA.

Instead of strcpy, you should use

strncpy(buffer, anotherbuffer, strlen(buffer));
buffer[MAX_SIZE] = '\0';

You should also terminate the last character of your buffer using the \0 termination.

Try not to use memcpy either the same problem applies.

For strcmp, you should use

strncmp ( const char * string1, const char * string2, size_t NumberOfBytesToCopy);

You shouldn't have this problem if you use string or other string classes. Hopefully your string code will check for that.

Bookmark/Search this post with:
  • Digg
  • Twitter
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Reddit

Post new comment

name
The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.