2011 - 2012

(buffer overflow, buffer overrun)

,
C. ,
, .
(overflow)

.
1.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
// theoretically reserve 5 byte of buffer plus the
// terminating NULL....should allocate 8 bytes = 2 double
words,
// to overflow, need more than 8 bytes...
// so, if more than 8 characters input by user,
// there will be access violation, segmentation fault etc.
char mybuffer[5];
// a prompt how to execute the program...
if (argc < 2)
{
printf("strcpy() NOT executed....\n");
printf("Syntax: %s <characters>\n", argv[0]);
exit(0);
}
// copy the user input to mybuffer, without any bound
checking
// a secure version is srtcpy_s()
strcpy(mybuffer, argv[1]);
printf("mybuffer content= %s\n", mybuffer);
// you may want to try strcpy_s()
printf("strcpy() executed...\n");
return 0;
}

? ?

 2011 - 2012

(Integer overflow)
Widthness overflows


.
:
2.

#include <stdio.h>
int main(void){
int l;
short s;
char c;
l = 0xdeadbeef;
s = l;
c = l;
printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8);
printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8);
printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8);
return 0;
}

? ?

Exploiting -
.
(overwriting)
, .

,
. ,
, . ,
,
.
,
, .
, ,
:

 2011 - 2012
3.
/* width1.c - exploiting a trivial widthness bug */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]){
unsigned short s;
int i;
char buf[80];
if(argc < 3){
return -1;
}
i = atoi(argv[1]);
s = i;
if(s >= 80){
/* [w1] */
printf("Oh no you don't!\n");
return -1;
}
printf("s = %d\n", s);
memcpy(buf, argv[2], i);
buf[i] = '\0';
printf("%s\n", buf);
return 0;

,
.

5 hello
80 hello
65536 hello
? ?
(Arithmetic overflows)
,
,
, .
,
, ,
.
:

 2011 - 2012
4.
/* ex2.c - an integer overflow */
#include <stdio.h>
int main(void){
unsigned int num = 0xffffffff;
printf("num is %d bits long\n", sizeof(num) * 8);
printf("num = 0x%x\n", num);
printf("num + 1 = 0x%x\n", num + 1);
return 0;
}

? ?
5.
/* ex4.c - various arithmetic overflows */
#include <stdio.h>
int main(void){
int l, x;
l = 0x40000000;
printf("l = %d (0x%x)\n", l, l);
x = l + 0xc0000000;
printf("l + 0xc0000000 = %d (0x%x)\n", x, x);
x = l * 0x4;
printf("l * 0x4 = %d (0x%x)\n", x, x);
x = l - 0xffffffff;
printf("l - 0xffffffff = %d (0x%x)\n", x, x);
return 0;
}

? ?

.

. ,
dVal.
:
6.
#include <stdio.h>
void main(void)
{
int dVal;
printf("The value is %d\n",dVal);
}

 2011 - 2012

"%d" "dVal".
? ?
(hexadecimal)
:
7.
#include <stdio.h>
void main(void)
{
int dVal;
printf("The value in decimal is %d\n",dVal);
printf("The value in hexadecimal is %x\n",dVal);
}

"%d" "dVal" "%x"

(hexadecimal) "dVal".
? ?
(specifier)

, .
"%n"( - number of characters into a pointer /
Writes the number of characters into a pointer)
."%n"

printf .
:
"% n"
.

.
:
8.
1.
2.
3.
4.
5.

#include <stdio.h>
int main()
{
int bytes_formatted=0;
char buffer[28]=ABCDEFGHIJKLMNOPQRSTUVWXYZ;

6. printf(%.20x%n,buffer,&bytes_formatted);
7. printf(\nThe number of bytes formatted in the previous
printf statement was %d\n,bytes_formatted);
8. return 0;
9. }
:

 2011 - 2012
? ?

9.
#include <stdio.h>
void main(int argc, char *argv[])
{
int count = 1;
while(argc > 1)
{
printf(argv[count]);
printf( );
count ++;
argc --;
}
}
? ?

, .


.
,

.
.
10.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (int argc, char* argv[])
{
char buf [100];
int x = 1;
_snprintf ( buf, sizeof buf, argv [1] ) ;
buf [ sizeof buf -1 ] = 0;
printf ( "Buffer size is: (%d) \nData input: %s \n" ,
strlen (buf) , buf ) ;
printf ( "X equals: %d/ in hex: %#x\nMemory address for
x: (%p) \n" , x, x, &x) ;
return 0 ;
}
.

 2011 - 2012
Bob .

.
"%x%" ,
(parses) , Bob,
%x
.

Bob buf
%s (Data input). printf
:
printf ( Buffer size is: (%d) \n Data input: Bob %x %x \n ,
strlen (buf) , buf ) ;
,
, .
.
11.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main (int argc, char *argv[])
{
char buf [100]="";
int x = 1;
int count = 1;
strncpy ( buf, argv [1], sizeof buf) ;
buf [ sizeof buf -1 ] = 0;
printf ( "Buffer size is: (%d) \n" , strlen (buf) ) ;
printf("Data input:");
while(argc > 1)
{
printf( argv[count]);
printf(" ");
count ++;
argc --;
}
printf ( "\n X equals: %d/ in hex: %#x\nMemory address for x:
(%p) \n" , x, x, &x) ;
return 0 ;