No code execution Overflow Attack

For overflow attacks, besides running the overflow code, I also find other overflow methods, and not all overflow methods bring up exceptions. Some overflows do not allow attackers to gain control, but they are willing to allow them to read or manipulate additional data. For example, logon.exe is a tool that allows administrators to log on to a service. Since the logon password is generated randomly each time, it is difficult to guess. If you do not know the password, you need to check the memory (I suppose there is no limit) or use some tricky tactics to log on to the service. Let's see how logon.exe works.
C: \ Documents ents and Settings \ Czy> Logon.exe
USAGE: Logon.exe <username> <password>
Try entering forged parameters:
C: \ Documents ents and Settings \ Czy> Logon.exe spy W7g6351a
Access Denied.
Try entering a long string:

It is a bit strange that when all are letters a, the service allows you to log on. Check again to see if this happens again:


 

Using the same user name and different passwords, logon is still valid! As long as you specify a long password, whether or not the password is correct, the program allows you to log on. In this case, you must not report this behavior as a vulnerability. Let's see why this happened.
Classes in Logon.exe are defined as follows:

Www.2cto.com
# Define CREDENTIAL_LENGTH 64
Class Login {
Public:
Login ();
Void ClearCreds ();
Bool IsLoggedIn ();
Bool TryCreds (char * Username, char * Password );
Virtual ~ Login ();
Private:
Char UserName [CREDENTIAL_LENGTH];
Char PassPhrase [CREDENTIAL_LENGTH];
Char CorrectPassPhrase [CREDENTIAL_LENGTH];
Char Buffer [521];
};

There are several interesting points in the definition of this class: PassPhrase and CorrectPassPhrase are stored in memory sequentially. Check the code used to check whether the password is correct:

Bool Password: IsLoggedIn ()
{
Return (0 = memcmp (passPhrase, CorrectPassPhrase, CREDENTIAL_LENGTH ));
}

Everything looks normal. Let's take a look at the caller.

Bool Login: TryCreds (char * User, char * Password)
{
FillMemory (UserName, CREDENTIAL_LENGTH, 0x00 );
Strcpy (UserName, User );
FillMemory (PassPhrase, CREDENTIAL_LENGTH, 0x00 );
Strcpy (PassPhrase, Password );
Retrun IsLoggedIn ();
}

Have you noticed? Strcpy (PassPhrase, Password); this line of code looks suspicious. What if PassPhrase [] buffer overflow occurs? Because the location of the CorrectPassPhra [] buffer in the memory is right behind the PassPhrase [] buffer, it is clear that the overflow data will overwrite the CorrectPassPhra [] buffer. If the byte length of a Password is 2 * CREDENTIAL_LENGTH, and the first half and the second half of the Password are identical, the value returned by the IsLoggedIn function is true regardless of the actual value of CorrectPassPhrase.
It is very easy to fix this vulnerability: Check the input length. If it is too long, return false.

Bool Login: TryCreds (char * User, char * Password)
{
If (strlen (User) <CREDENTIAL_LENGTH )&&
(STRLEN (pASSWORD) <CREDENTIAL_LENGTH)
{
FillMemory (UserName, CREDENTIAL_LENGTH, 0x00 );
Strcpy (UserName, User );
FillMemory (PassPhrase, CREDENTIAL_LENGTH, 0x00 );
Strcpy (PassPhrase, Password );
Retrun IsLoggedIn ();
}
Else
{
Retrun false;
}
}

 

Conclusion:
Test the modified version. You can see that the vulnerability in this demo has been fixed. If you study it carefully, it is not difficult.