#include <stdio.h>
#include <string.h>
int bad_code(char *arg1) {
char cpy[16];
strcpy(cpy, arg1);
cpy[15] = '\0';
return strcmp(cpy, "Yes");
}
int main(int argc, char **argv) {
if(argc != 2) {
printf("Usage: %s reply\n", *argv);
return 1;
}
if(bad_code(argv[1]) == 0)
printf("Thanks for agreeing!\n");
else
printf("I'm sorry, I don't understand\n");
return 0;
}
Parent Frame (main) | |||||||
Return Address | |||||||
Saved Frame Pointer | |||||||
char *arg1 | |||||||
char cpy[16] | |||||||
\0 | s | e | Y | ||||
Unused Stack Space |
#include <stdio.h>
#include <string.h>
int bad_code(char *arg1) {
char cpy[16];
strcpy(cpy, arg1);
cpy[15] = '\0';
return strcmp(cpy, "Yes");
}
int main(int argc, char **argv) {
if(argc != 2) {
printf("Usage: %s reply\n", *argv);
return 1;
}
if(bad_code(argv[1]) == 0)
printf("Thanks for agreeing!\n");
else
printf("I'm sorry, I don't understand\n");
return 0;
}
Parent Frame (main) | |||||||
Return Address | \0 | A | A | A | A | ||
A | A | A | A | A | A | A | A |
A | A | A | A | A | A | A | A |
A | A | A | A | A | A | A | A |
A | A | A | A | A | A | A | A |
Unused Stack Space |
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <openssl/md5.h>
void grant_shell() {
printf("Welcome back superuser!\nHere's your shell:\n");
setuid(geteuid());
char *const args[] = {"/bin/sh", NULL};
execv(args[0], args);
}
//easy way of storing hash in source file
//(16 bytes represented as 16 uint8's)
uint8_t valid_hash[] = {193, 179, 147, 105, 178, 122, 16, 111,
31, 197, 119, 133, 91, 193, 217, 252};
int verify(char *argv1) {
char passwd[21]; //holds 20 characters plus a null byte
strcpy(passwd, argv1);
passwd[20] = '\0'; //set the last char to null
uint8_t hash[16]; //enough space for 16 byte hash
MD5(passwd, strlen(passwd), (char *)hash);
return !memcmp(hash, valid_hash, 16);
}
int main(int argc, char **argv) {
if(argc != 2) {
printf("Usage: %s passwd\n", *argv);
return 1;
}
if(verify(argv[1])) { //if password is okay
grant_shell();
} else {
printf("You're not the superuser, "
"you don't know the password!!\n");
}
return 0;
}