96 lines
3.0 KiB
C
96 lines
3.0 KiB
C
|
/* $Header: https://svn.ita.chalmers.se/repos/security/edu/course/computer_security/trunk/lab/login_linux/login_linux.c 585 2013-01-19 10:31:04Z pk@CHALMERS.SE $ */
|
||
|
|
||
|
/* gcc -std=gnu99 -Wall -g -o mylogin login_linux.c -lcrypt */
|
||
|
|
||
|
#include <stdlib.h>
|
||
|
#include <unistd.h>
|
||
|
#include <stdio.h>
|
||
|
#include <stdio_ext.h>
|
||
|
#include <string.h>
|
||
|
#include <signal.h>
|
||
|
#include <pwd.h>
|
||
|
#include <sys/types.h>
|
||
|
#include <crypt.h>
|
||
|
#include <shadow.h>
|
||
|
#include "pwent.h" /* Step 2 */
|
||
|
|
||
|
#define TRUE 1
|
||
|
#define FALSE 0
|
||
|
#define LENGTH 16
|
||
|
|
||
|
void sighandler() {
|
||
|
|
||
|
/* add signalhandling routines here */
|
||
|
/* see 'man 2 signal' */
|
||
|
}
|
||
|
|
||
|
int main(int argc, char *argv[]) {
|
||
|
|
||
|
struct passwd *passwddata; /* this has to be redefined in step 2 */
|
||
|
/* see pwent.h */
|
||
|
struct spwd *shadowpasswddata; /* this has to be redefined in step 2 */
|
||
|
/* see pwent.h */
|
||
|
|
||
|
char important1[LENGTH] = "**IMPORTANT 1**";
|
||
|
|
||
|
char user[LENGTH];
|
||
|
|
||
|
char important2[LENGTH] = "**IMPORTANT 2**";
|
||
|
|
||
|
//char *c_pass; //you might want to use this variable later...
|
||
|
char prompt[] = "password: ";
|
||
|
char *user_pass;
|
||
|
|
||
|
sighandler();
|
||
|
|
||
|
while (TRUE) {
|
||
|
/* check what important variable contains - do not remove, part of buffer overflow test */
|
||
|
printf("Value of variable 'important1' before input of login name: %s\n",
|
||
|
important1);
|
||
|
printf("Value of variable 'important2' before input of login name: %s\n",
|
||
|
important2);
|
||
|
|
||
|
printf("login: ");
|
||
|
fflush(NULL); /* Flush all output buffers */
|
||
|
__fpurge(stdin); /* Purge any data in stdin buffer */
|
||
|
|
||
|
if (gets(user) == NULL) /* gets() is vulnerable to buffer */
|
||
|
exit(0); /* overflow attacks. */
|
||
|
|
||
|
/* check to see if important variable is intact after input of login name - do not remove */
|
||
|
printf("Value of variable 'important 1' after input of login name: %*.*s\n",
|
||
|
LENGTH - 1, LENGTH - 1, important1);
|
||
|
printf("Value of variable 'important 2' after input of login name: %*.*s\n",
|
||
|
LENGTH - 1, LENGTH - 1, important2);
|
||
|
|
||
|
user_pass = getpass(prompt); //enter password using deprecated function :/
|
||
|
//passwddata = getpwnam(user); //get user info from /etc/passwd /* Step 1 */
|
||
|
|
||
|
if (passwddata != NULL) {
|
||
|
/* You have to encrypt user_pass for this to work */
|
||
|
/* Don't forget to include the salt */
|
||
|
shadowpasswddata = getspnam(user); //get encrypted password from /etc/shadow
|
||
|
//printf("password in shadow file: %s \n", shadowpasswddata->sp_pwdp);
|
||
|
|
||
|
char *user_pass_encrypted = crypt(user_pass, shadowpasswddata->sp_pwdp);
|
||
|
//printf("encryption of typed pass: %s \n", user_pass_encrypted);
|
||
|
// schulze:
|
||
|
// $6
|
||
|
// $Dvon03J3/yxkUTWF$
|
||
|
// JiIGRAV22.iMUOMPW9MJidTt.aPsKOYK4Bx.Av5EMcVmifp1SkhRELWHLKPWCGmv3nhcFk7tgi7/9.YCO/C
|
||
|
//schulze:$6$Dvon03J3/yxkUTWF$JiIGRAV22.iMUOMPW9MJidTt.aPsKOYK4Bx.Av5EMcVmifp1SkhRELWHLKPWCGmv3nhcFk7tgi7/9.YCO/CnS/:18577:0:99999:7:::
|
||
|
|
||
|
if (!strcmp(user_pass_encrypted, shadowpasswddata->sp_pwdp)) {
|
||
|
|
||
|
printf(" You're in !\n");
|
||
|
|
||
|
/* check UID, see setuid(2) */
|
||
|
/* start a shell, use execve(2) */
|
||
|
|
||
|
}
|
||
|
}
|
||
|
printf("Login Incorrect \n");
|
||
|
}
|
||
|
return 0;
|
||
|
}
|