There are quite a few times when I’m discussing my work with friends and they ask “what do you even do?”
Well, there are a lot of answers for that. Information security is a pretty broad field, but the most enjoyable part of my job, and the one I get to do the least, is finding faults in code to exploit vulnerabilities. To show you guys how that works, I threw together a little puzzle in C. The code is available here, for you to download and follow along, BUT if you want to try the challenges without seeing the code, in a MacOS or Linux machine, type the following to download and compile the code.
Either figure out the password, or bypass the login code.
- Buffer Overflow: This is the easiest way to bypass the login. The program expects a 16 character limited password, so just to be safe, I fed it 32 characters. The characters themselves don’t matter. The idea is that the memory stack of the program gets overloaded. The size of the input is larger than the expected input, and overwrites a validating integer to a nonzero number, allowing login.
- Disassembly: This method is a little more difficult, since it involves us looking at memory locations and assembly code. First we need to run an ‘objdump’ to get the raw hex data, and save it to a dump file. When we open the dump we can ignore the ‘_text‘ section and go straight to the ‘_main‘ function. BUT WAIT! There is a hidden function that isn’t called in the program called ‘_secret‘. What does that do? There are a couple ways to find out, the easiest of which is to open it in a dissembler like Hopper or IDA. Opening the executable in Hopper tells is that the function’s purpose is to print the password. Like I said, I made this code purposefully vulnerable. Looks like the password is “sciencemoez.com”. The GNU Debugger (GDB) can also be used to print the memory location of the password as a string, or forcing the program to run the secret function by setting a breakpoint, but if you have access to IDA (Free version/paid extra features) or Hopper ($100), that doesn’t make sense to do.
Can you guys find another way to break into the application?