Other exams

Buffer Overflow

• original image

  

void next_tag(char* buf) {
strncpy(buf, "FOOBAR", 6);
}void main (int argc, char* argv[]) {
char a[8];
char b[8];
next_tag(a) ; /*copies "FOOBAR" into a */
gets(b);	/*copies from the standard input into b */
}

• a can not contain the NULL terminated string "START" after a buffer overflow

• b is secure against buffer overflows, since gets() checks the length of the input before writing it to the output buffer.

• a can not be overwritten since strncpy() checks the length of the input

• a and b are stored on the stack

• Solution

  • ❌ we can overwrite a to contain "START\n"

    When we get access to b and can put in our payload, the local variable a contains the characters "FOOBAR\n" (that means there is 1 free byte in a ).

  • ❌ gets() does not check boundaries

  • ❌ a could be overwritten from b

  • ✅ because they are local variables