Exploits define MAXPASSLEN 10 define PASSWORDOK 1 define
- Slides: 4
Exploits
#define MAX_PASSLEN 10 #define PASSWORD_OK 1 #define PASSWORD_FAIL 2 void set_password(char *pass) { FILE *f = get_password_file(); fprintf(f, pass); } int authenticate() { FILE *f = get_password_file(); char userpass[MAX_PASSLEN]; char secret[MAX_PASSLEN]; fscanf(f, "%s", secret); fprintf(stdout, "Password: "); fscanf(stdin, "%s", userpass); if (strncmp(secret, userpass, MAX_PASSLEN) == 0) return PASSWORD_OK; else return PASSWORD_FAIL; } __start() { if (authenticate() == PASSWORD_OK) { char newpass[MAX_PASSLEN]; fprintf(stdout, "New password: "); fscanf(stdin, "%s", newpass); set_password(newpass); } else { fprintf(stdout, "Sorry, wrong passwordn"); } }
00400300 <authenticate>: 400300 addiu sp, -72 400304 sw ra, 68(sp) 400308 sw fp, 64(sp) 40030 c move fp, sp 400310 li t 9, get_password_file 400314 nop 400318 jalr t 9 40031 c nop 400320 sw v 0, 16(fp) 400324 addiu v 1, fp, 40 400328 lw a 0, 16(fp) 40032 c lui v 0, 0 x 40 400330 addiu a 1, v 0, 1184 400334 move a 2, v 1 400338 li t 9, fscanf 40033 c nop 400340 jalr t 9 400344 nop 400348 li a 0, 1 40034 c lui v 0, 0 x 40 400350 addiu a 1, v 0, 1188 400354 li t 9, fprintf 400358 nop 40035 c jalr t 9 400360 nop 400364 400368 40036 c 400370 400374 400378 40037 c 400380 400384 400388 40038 c 400390 400394 400398 40039 c 4003 a 0 4003 a 4 addiu v 1, fp, 24 move a 0, zero lui v 0, 0 x 40 addiu a 1, v 0, 1184 move a 2, v 1 li t 9, fscanf nop jalr t 9 nop addiu v 0, fp, 40 addiu v 1, fp, 24 move a 0, v 0 move a 1, v 1 li t 9, strncmp nop jalr t 9 nop 4003 a 8 4003 ac 4003 b 0 4003 b 4 4003 b 8 4003 bc 4003 c 0 4003 c 4 4003 c 8 4003 cc 4003 d 0 4003 d 4 4003 d 8 4003 dc 4003 e 0 bnez v 0, 4003 c 0 nop li v 0, 1 sw v 0, 56(fp) b 4003 c 8 nop li v 0, 2 sw v 0, 56(fp) lw v 0, 56(fp) move sp, fp lw ra, 68(sp) lw fp, 64(sp) addiu sp, 72 jr ra nop
parent: … arg 4 arg 3 arg 2 arg 1 child: ra fp result_tmp secretpass userpass f …
