How would I attack this C program using nasm or commands in terminal to display "password is correct"?

#include %26lt;string.h%26gt;


#include %26lt;stdlib.h%26gt;


#include %26lt;stdio.h%26gt;





static void


check_pw (const char *correct_password)


{


char user_password[20];





gets (user_password);





if (strlen (user_password) == 0)


{


printf ("No password entered!\n");


exit (1);


}





if (!strcmp (user_password, correct_password))


{


printf ("Password is correct!\n");


exit (0);


}


else


{


printf ("Password is incorrect!\n");


exit (1);


}


}





int


main (void)


{


check_pw ("jellybeans");





return 0;


}

How would I attack this C program using nasm or commands in terminal to display "password is correct"?
I agree with Daniel that your code should print out what you want. There is a flaw in the sense that an individual code enter in a password longer than 20 characters thus create a buffer overflow. The problem is with the gets() and how it ends input on an EOF or newline. This is a runtime problem and may or may not actually cause any issues with your code or surrounding memory space.





EDIT: Oh... So I re-read what you were asking and I think you are trying to get around your password checking logic, correct? In simple terms you want to use memory beyond the allocated 20 (+1 for null) bytes in your character array and inject some code overwriting another part of the program execution, thus having it do something else. For instance, you can put in the 20+1 character string and add a 4-byte address using displayable ASCII characters such as "!j*%26amp;" to give the executing program a new 4-byte address overwriting the return address on the stack. This could, depending on your understanding of the executable address and stack sequence, cause the program to "jump" to this new location bypassing your check for a password and letting you in. This, as mentioned, requires an understanding of the stack frame and memory addressing of your above executing program. Enjoy!
Reply:It is really bad form for a utility function like check_pw() to exit the program. The reason is that you don't want some utility function you call to halt execution unless that utility function is called something like exit().





Also, you usually don't want to store passwords in plain text or even compare them that way. It is better to do something like store a salted hash of the password, then calculate the same kind of hash on the user input and compare those. Anyway, this is just a little learning program, so I understand real security is not the goal.





Unfortunately, this silly Yahoo answers thing doesn't have a way to enter html tags like %26lt;pre%26gt; so code can't be entered with proper indentation, but I would do something like this:





#include %26lt;string.h%26gt;


#include %26lt;stdlib.h%26gt;


#include %26lt;stdio.h%26gt;





static bool Login( const char *correct_password )


{


char user_password[20] = "";


int attempts = 0;


do


{


puts("Please enter your password: ");


gets(user_password);


if( ++attempts %26gt;= 3 )


return false;


}


while( strcmp(user_password, correct_password) );





return true;


}





int main (void)


{


if( Login("jellybeans") )


{


printf ("Password is correct!\n");


return 0;


}


printf ("Password is incorrect!\n");


return 1;


}
Reply:Maybe I'm missing something, but I think the answer is:


1) compile the program


2) run it


3) type "jellybeans" followed by the enter key





You should see "Password is correct" after you hit enter.