LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 07-15-2003, 07:21 PM   #1
Linh
Member
 
Registered: Apr 2003
Posts: 178

Rep: Reputation: 30
putc and fputc - and other confusion


1) What is the different between putc and fputc
2) Unless you are using a buffer, Is it true that fprintf is better than fputs ?

3) C also has a bunnch of other get and read type as well
and it can get confusing at time. I am trying to stick to one
standard.

=======================================
#include <stdio.h>
#include <stdlib.h>

/*******************************************/

start_processes()
{
FILE *file_pointer, *fopen();
char ETH1[13];

file_pointer = fopen ("/etc/yellowbox/network-config", "r");
fscanf(file_pointer, "%*[^=] %*c %s", ETH1); /* --> ETH1 = 192.168.20.1 */

/******************************************/

file_pointer = fopen ("/root/file_putc", "w");
putc ('5', file_pointer); /* putc write only one character to a file */

file_pointer = fopen ("/root/file_fputc", "w");
fputc ('3', file_pointer); /* fputc write only one character to a file */

/*****************************************/

puts ("puts write many characters to the monitor.");
puts ("putchar write only one character to the monitor.");

putchar ('p');
printf ("\n");

/*****************************************/

file_pointer = fopen ("/root/file_fputs", "w");
fputs ("fputs write many characters to a file", file_pointer);

file_pointer = fopen ("/root/file_fprintf", "w");
fprintf (file_pointer, "fprintf write many characters to a file");

fclose(file_pointer);
}

/*****************************************/

main()
{
start_processes();
}
 
Old 07-16-2003, 05:52 AM   #2
Mohsen
Member
 
Registered: Feb 2003
Location: Iran
Distribution: Solaris 10
Posts: 201

Rep: Reputation: 30
int fgetc(FILE* stream)
fgetc() returns the next character of stream as an unsigned char (converted to an int), or EOF if end of file or error occurs.

int getc(FILE* stream)
getc() is equivalent to fgetc() except that if it is a macro, it may evaluate stream more than once.

The same case is about fputc() and putc(), BUT pay attention to gets() and fgets(), and puts() and fputs():
char* gets (char* s)
char* fgets (char* s, int n, FILE* stream) /* reads at most the next n-1 characters into the array s, stopping if a newline is encountered; the newline is included in the array, which is terminated by '\0'. fgets() returns s, or NULL if end of file or error occurs */

char* puts (const char* s)
char* fputs (const char* s, FILE* stream) /* writes the string s (which need not contain '\n') on stream; it returns non-negative, or EOF for an error */
 
Old 07-16-2003, 10:21 AM   #3
Linh
Member
 
Registered: Apr 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Thank you for your help

Thank you Mohsen for your good answer
 
Old 07-18-2003, 10:15 AM   #4
DIYLinux
Member
 
Registered: Jul 2003
Location: NL
Distribution: My own
Posts: 92

Rep: Reputation: 18
But beware of buffer overruns (a major source of bugs affecting security).

gets should NEVER be used, since it does not limit the amount of data it reads, allowing the user to corrupt the memory held by your program, by writing past the end of the array that receives the data. When the program runs at an elevated privilege level (daemons and setuid progs), a hacker may trick it in providing a shell at this elevated privilege level. Use fgets on stdin instead.

Similar remarks for (f)scanf.

Last note: if you dont check user input thuroughly, even sprintf (print to a character array, with printf style formatting) can cause a buffer overflow. Use snprintf instead (and autoconf to check if your target platform has it; remember tomorrow your may be required to run on platforms you have never heard about)
 
Old 07-18-2003, 10:44 AM   #5
Linh
Member
 
Registered: Apr 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Hi DIYLinux. Thanks for the good advise.

Show me how the user can "corrupt the memory held by the program, by writing past the end of the array that receives the data. When the program runs at an elevated privilege level (daemons and setuid progs), a hacker may trick it in providing a shell at this elevated privilege level. Use fgets on stdin instead. "

How can a user do this. When the C program running is in binary code, he can only do this if he use a global assembler, and that he understand assembly language to alter the program.

Please show me how a user could bypass security step by step so that I can understand what you are saying.
 
Old 07-18-2003, 10:59 AM   #6
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 51
you have to understand a little assembly and know what the stack is but here goes:

when a function is called the return address(the piece of code to go back to when the function is finished) is put on top of a pile called the stack. any local variables such as char x[50] are then put on top of the return address so anything written after the last element of the char array will overwrite the return address. at best this will cause the program to crash by jumping to an invalid memory location. but imagine the person typed in code to spawn a shell into the char array(not very hard to do) then they overwrote the return address to jump to the start of the code, then they have a shell with the privaleges of the hacked program. all that is required to do this is a bit of knowledge and a dissassembler such as objdump.

Last edited by kev82; 07-18-2003 at 11:01 AM.
 
Old 07-18-2003, 11:11 AM   #7
Linh
Member
 
Registered: Apr 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Question

Hi kev82. Thank you for explaining. I divided what you said into two section. I understand the first section very well and I know what a stack is. On a second section, how does a hacker "typed in code to spawn a shell into the char array" ?


1) when a function is called the return address(the piece of code to go back to when the function is finished) is put on top of a pile called the stack. any local variables such as char x[50] are then put on top of the return address so anything written after the last element of the char array will overwrite the return address. at best this will cause the program to crash by jumping to an invalid memory location.

2) but imagine the person typed in code to spawn a shell into the char array(not very hard to do) then they overwrote the return address to jump to the start of the code, then they have a shell with the privaleges of the hacked program. all that is required to do this is a bit of knowledge and a dissassembler such as objdump.
 
Old 07-18-2003, 11:30 AM   #8
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 51
lets say the instruction you want it to execute is mov eax,0x10 the machine code to do this on x86 is B81000 in hex, now either you can use fancy keyboard techniques to input those 3 characters or you could create a file with the machine code in it and pipe it into the program. or if its a network program then just connect to it on the appropriate socket and send the exact data you want.

Last edited by kev82; 07-18-2003 at 11:34 AM.
 
Old 07-21-2003, 07:54 AM   #9
DIYLinux
Member
 
Registered: Jul 2003
Location: NL
Distribution: My own
Posts: 92

Rep: Reputation: 18
Sorry for the delay, but here is some background info on buffer overflows: http://destroy.net/machines/security/P49-14-Aleph-One

Enjoy, but dont abuse
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
a little confusion..... b0nd Linux - Newbie 1 02-17-2005 07:45 AM
putc problem - LED flashing vasanthraghavan Programming 3 04-19-2004 04:46 PM
WM Confusion phoeniXflame Slackware 3 02-16-2003 06:19 AM
putchar and putc are not working .... purpleburple Programming 4 07-04-2002 04:28 PM
Some confusion about RH 7.3 psyklops Linux - Distributions 2 05-08-2002 04:08 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 04:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration