C++ Buffer Overflow

Question

I\'m trying to teach myself about buffer overflows and exploitation in C++. I\'m an intermediate C++ guy, at best, so bear with me. I\'ve followed a few tutorials, but here\

Answer 1

It is overwriting your authentication variable. This means that authentication is positive even before your code checks the username and password. To check this, print out authentication prior to the checks.

I'll expand a little further: When you type is a very long username, that long username is copied, by your strcpy, into cUsername. That variable cUsername is immediately after authentication and hence it is overwritten by the overly-long username.

If you type a very very long username, then (again) the authentication variable will be overwritten. But also now the items further up the stack, such as the return value, will be overwritten. If your program overwrites too high up the stack, then it will be very badly broken and anything can happen. You essentially execute random code at this point.

Answer 2

I modified your program a little bit to make it more illustrative:

#include <iostream>

int main( void )
{
 int authentication = 0;
 char cUsername[ 10 ];
 char cPassword[ 10 ];

 std::cout << "Username: ";
 std::cin >> cUsername;

 std::cout << "Pass: ";
 std::cin >> cPassword;

 if( std::strcmp( cUsername, "admin" ) == 0 && std::strcmp( cPassword, "adminpass" ) == 0 )
 {
  authentication = 1;
 }
 if( authentication )
 {
  std::cout << "Access granted\n";
  std::cout << ( char )authentication;
 }
 else
 {
  std::cout << "Wrong username and password\n";
 }

 return ( 0 );
}

I compiled it with x64 compiler command-line MS compiler, no optimizations. So now we have an exe that we want to "hack". We load the program with WinDbg (really good debugger) and take a look at the disassembly (notice, I've supplied full debug info, for clarity):

00000001`3f1f1710 4883ec68        sub     rsp,68h
00000001`3f1f1714 488b0515db0300  mov     rax,qword ptr [Prototype_Console!__security_cookie (00000001`3f22f230)]
00000001`3f1f171b 4833c4          xor     rax,rsp
00000001`3f1f171e 4889442450      mov     qword ptr [rsp+50h],rax
00000001`3f1f1723 c744243800000000 mov     dword ptr [rsp+38h],0  // This gives us address of "authentication" on stack.
00000001`3f1f172b 488d156e1c0300  lea     rdx,[Prototype_Console!std::_Iosb<int>::end+0x78 (00000001`3f2233a0)]
00000001`3f1f1732 488d0d47f00300  lea     rcx,[Prototype_Console!std::cout (00000001`3f230780)]
00000001`3f1f1739 e8fdf9ffff      call    Prototype_Console!ILT+310(??$?6U?$char_traitsDstdstdYAAEAV?$basic_ostreamDU?$char_traitsDstd (00000001`3f1f113b)
00000001`3f1f173e 488d542428      lea     rdx,[rsp+28h] // This gives us address of "cUsername" on stack.
00000001`3f1f1743 488d0df6f00300  lea     rcx,[Prototype_Console!std::cin (00000001`3f230840)]
00000001`3f1f174a e823faffff      call    Prototype_Console!ILT+365(??$?5DU?$char_traitsDstdstdYAAEAV?$basic_istreamDU?$char_traitsDstd (00000001`3f1f1172)
00000001`3f1f174f 488d153e1c0300  lea     rdx,[Prototype_Console!std::_Iosb<int>::end+0x6c (00000001`3f223394)]
00000001`3f1f1756 488d0d23f00300  lea     rcx,[Prototype_Console!std::cout (00000001`3f230780)]
00000001`3f1f175d e8d9f9ffff      call    Prototype_Console!ILT+310(??$?6U?$char_traitsDstdstdYAAEAV?$basic_ostreamDU?$char_traitsDstd (00000001`3f1f113b)
00000001`3f1f1762 488d542440      lea     rdx,[rsp+40h] // This gives us address of "cPassword" on stack.
00000001`3f1f1767 488d0dd2f00300  lea     rcx,[Prototype_Console!std::cin (00000001`3f230840)]
00000001`3f1f176e e8fff9ffff      call    Prototype_Console!ILT+365(??$?5DU?$char_traitsDstdstdYAAEAV?$basic_istreamDU?$char_traitsDstd (00000001`3f1f1172)
00000001`3f1f1773 488d15321c0300  lea     rdx,[Prototype_Console!std::_Iosb<int>::end+0x84 (00000001`3f2233ac)]
00000001`3f1f177a 488d4c2428      lea     rcx,[rsp+28h]
00000001`3f1f177f e86c420000      call    Prototype_Console!strcmp (00000001`3f1f59f0)
00000001`3f1f1784 85c0            test    eax,eax
00000001`3f1f1786 751d            jne     Prototype_Console!main+0x95 (00000001`3f1f17a5)
00000001`3f1f1788 488d15291c0300  lea     rdx,[Prototype_Console!std::_Iosb<int>::end+0x90 (00000001`3f2233b8)]
00000001`3f1f178f 488d4c2440      lea     rcx,[rsp+40h]
00000001`3f1f1794 e857420000      call    Prototype_Console!strcmp (00000001`3f1f59f0)
00000001`3f1f1799 85c0            test    eax,eax
00000001`3f1f179b 7508            jne     Prototype_Console!main+0x95 (00000001`3f1f17a5)
00000001`3f1f179d c744243801000000 mov     dword ptr [rsp+38h],1
00000001`3f1f17a5 837c243800      cmp     dword ptr [rsp+38h],0
00000001`3f1f17aa 7426            je      Prototype_Console!main+0xc2 (00000001`3f1f17d2)
00000001`3f1f17ac 488d15151c0300  lea     rdx,[Prototype_Console!std::_Iosb<int>::end+0xa0 (00000001`3f2233c8)]
00000001`3f1f17b3 488d0dc6ef0300  lea     rcx,[Prototype_Console!std::cout (00000001`3f230780)]
00000001`3f1f17ba e87cf9ffff      call    Prototype_Console!ILT+310(??$?6U?$char_traitsDstdstdYAAEAV?$basic_ostreamDU?$char_traitsDstd (00000001`3f1f113b)
00000001`3f1f17bf 0fb6542438      movzx   edx,byte ptr [rsp+38h]
00000001`3f1f17c4 488d0db5ef0300  lea     rcx,[Prototype_Console!std::cout (00000001`3f230780)]
00000001`3f1f17cb e825f9ffff      call    Prototype_Console!ILT+240(??$?6U?$char_traitsDstdstdYAAEAV?$basic_ostreamDU?$char_traitsDstd (00000001`3f1f10f5)
00000001`3f1f17d0 eb13            jmp     Prototype_Console!main+0xd5 (00000001`3f1f17e5)
00000001`3f1f17d2 488d15ff1b0300  lea     rdx,[Prototype_Console!std::_Iosb<int>::end+0xb0 (00000001`3f2233d8)]
00000001`3f1f17d9 488d0da0ef0300  lea     rcx,[Prototype_Console!std::cout (00000001`3f230780)]
00000001`3f1f17e0 e856f9ffff      call    Prototype_Console!ILT+310(??$?6U?$char_traitsDstdstdYAAEAV?$basic_ostreamDU?$char_traitsDstd (00000001`3f1f113b)
00000001`3f1f17e5 33c0            xor     eax,eax
00000001`3f1f17e7 488b4c2450      mov     rcx,qword ptr [rsp+50h]
00000001`3f1f17ec 4833cc          xor     rcx,rsp
00000001`3f1f17ef e8bc420000      call    Prototype_Console!__security_check_cookie (00000001`3f1f5ab0)
00000001`3f1f17f4 4883c468        add     rsp,68h
00000001`3f1f17f8 c3              ret

Now, since we know how x64 stack works we can start "hacking". RSP is stack pointer, function stack is addresses above RSP value (stack grows into smaller addresses). So, we see that RSP+28h is where cUsername, RSP+38h is authentication, and RSP+40h is cPassword, where 28h, 38h and 40h are hexadecimal offsets. Here is little image to illustrate:

-----> old RSP value // Stack frame of caller of `main` is above, stack frame of main is below 

      16 bytes of
      "cPassword"
+40h
     8 bytes of "authentication"
+38h
      16 bytes of
      "cUsername"
+28h   


-----> RSP value = old RSP-68h

What do we see from here? We see that compiler aligned data on 8 byte boundary: for example, we asked to allocate 10 bytes for cUsername, but we got 16 bytes - x64 bit stack is aligned on 8-byte boundary, naturally. That means in order to write into authentication we need to write into cUsername MORE that 16 bytes (symbols). Notice also, that compiler put cPassword higher that authentication - we cannot overwrite authentication using cPassword, only cUsername.

So now we run our program and input Username: 0123456789abcdef1. 0123456789abcdef = 16 bytes, the next 1 is going to be put into lower byte of authentication - good enough for us:

Username: 0123456789abcdef1
Pass: whatever
Access granted
1

Answer 3

Because you have your char set to 10 places (including the NULL character), anything longer will overflow onto Authentication. There are numerous ways to fix this, most obviously being so simply make the char bigger. Other ways would be to limit the number of letters a user enters at registration (assuming this was on a website server). You could also use strlen(cUsername) to count the length of the char array and ask for re-entry of the username with less characters.
EDIT:
Ok. So what you want to do is use getline(cin,cUser) instead. cin stops reading at the first occurence of a whitespace. getline() will read the entire string with or without spaces.

Answer 4

When you compile a program, the compiler decides how to arrange your data in memory. If a program contains unchecked array accesses, it may be exploitable as a malicious user with knowledge of the arrangement of data in memory can figure out how to overwrite critical variables.

However, C++ doesn't give you complete control over how things are laid out on the stack. Local variables may appear in any order in memory.

To understand buffer overflow exploits, you will have to disassemble your program and delve into machine code. This will give you the layout of the stack, including the all-important return addresses.

By the way, the "Access Violation" is coming from your program, not Visual Studio. You probably need more experience with "forward" engineering before getting into reverse engineering.

Answer 5

If you use std::string, you'll find that your program will be much simpler:

int main()
{
  bool authenticated = false;

  while(!authenticated)
  {
    string username;
    string password;

    cout << "Username: ";
    getline(cin, username); // you may want to read input differently

    cout << "Pass: ";
    getline(cin, password); // same as above

    // you'll need to check cin.fail() to see whether the stream
    // had failed to read data, and exit the loop with "break".

    if(username == "admin" && password == "adminpass")
    {
      authenticated = true;
    }
    else
    {
      cout << "Wrong username and password, try again\n";
    }
  }

  if(authenticated)
  {
    cout << "Access granted\n";
  }      
}

Edit:

With regards to your recent question, I think by default, cin >> string will stop reading at the first whitespace character (i.e. space), so if you input a space, cin will stop before it corrupts any data, and so you don't get the access violation. If you want to be able to read spaces, then you'll need to use getline like I have above so that it will read the entire line of text, spaces included.

Answer 6

Proposed solution to detect NULL pointer and buffer overflow in memcpy, memset, strcpy before hand and print out the location (file:line) where the problem occurs:

http://htvdanh.blogspot.com/2016/09/proposed-solution-to-detect-null.html