Thursday, January 25, 2007

Funny things about secure code

Thanks for Leo burrow a good book of Writing Secure Code to me.It's a really heart-stirring stuff~When I getted start to read the Chapter 5 which discuss about Stack overrun.Actually I was never thinking about that shit.Here I will posting some funny stuff that will be reference and enjoy for newbie like me.

Environment:Windows XP+Visual C++(RELEASE MODE)

/*
StackOverrun.c

*/
#include 
#include

void foo(const char* input)
{
char buf[10];

//小心这可是stack骗局哦
//我们可以看到参数的漏洞
printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n");

//头号公敌:stack overrun
strcpy(buf, input);
printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}

void bar(void)
{
printf("Augh! I've been hacked!\n");
}

int main(int argc, char* argv[])
{
printf("Address of foo = %p\n", foo);
printf("Address of bar = %p\n", bar); //打印函数的地址
if (argc != 2)
{
printf("Please supply a string as an argument!\n");
return -1;
}
foo(argv[1]);
return 0;
}

After the complied,you can try about his:
>StackOverrun.exe shawntherockisanewbie
Address of foo = 00401000
Address of bar = 00401060
My stack looks like:
00000000
00000000
00000000
7FFDA000
00401091
004010BB

shawntherockisanewbie
Now the stack looks like:
00000000
00000000
77616873
6568746E
6B636F72
6E617369

Now,Windows will pop-up a error-warnning window "The instruction at"0x6e617369" referenced memory at "0x6e617369" .The memory could not be "read"".
Whis is "0x6e617369"?Because the letter "n"'s ASCII is 6e.

How to improve this problem in this case?It's too easy to figure it out.

#include
#include

void foo(const char* in)
{
char buf[64]; //Win32程序可不能接受超过64的字符串命令

strncpy(buf, in, sizeof(buf));
buf[sizeof(buf)] = '\0'; //胜利!
printf("%s\n", buf);
}

void bar(const char* in)
{
printf("Augh! I've been hacked!\n");
}

int main(int argc, char* argv[])
{
if(argc != 2)
{
printf("Usage is %s [string]\n", argv[0]); //提示用法
return -1;
}

printf("Address of foo is %p, address of bar is %p\n", foo, bar); //显示出当前的函数地址
foo(argv[1]); //把接受到的字符传到foo()函数
return 0;
}

The console program of Windows that cant accept more than 64 char.

PS:Secure code tech is not specify to any programming language.
You can get used to it to any programming language what you like in your project.

1 comment:

Anonymous said...

Good post.