小贝子编程

c语言 - 暴力工具上的未知分段错误


// gcc -o OUTPUT Input.c -lcrypt
// Ubuntu 18.04 LTS
#include<stdio.h>
#include<stdlib.h>
#include<fcntl.h>
#include<string.h>
#include<unistd.h>
#include<crypt.h>
#define _XOPEN_SOURCE
int findShadowIndex(char *inputUserName, char shadow[][500]) {
int i = 0; // Tempory Loop variable
char *userName;
while (shadow[i] != NULL) {
strcpy(userName, shadow[i]);
userName = strtok(userName, ":");
if (!strcmp(inputUserName, userName))
return i + 1;
i++;
}
return 0;
}
void setBFValue(char BFValue[]) {
int i, j = 0;
BFValue[j++] = '';
for (i = 48; i < 123; i++) {
if (i >= 58 && i <= 64)
continue;
else if (i >= 91 && i <= 96)
continue;
BFValue[j] = i;
j++;
}
BFValue[j++] = '!';
BFValue[j++] = '@';
BFValue[j++] = '#';
BFValue[j++] = '$';
BFValue[j++] = '%';
BFValue[j] = '^';
return;
}
int bruteForcing(char *originHash, char *cryptSalt, char *userName) {
int a = 0, b = 0, c = 0, d = 0, e = 0, f = 0;// Brute Force Loop variable
char passwd[7] = "";
char BFValue[100] = { NULL, }; // Brute Force Value
setBFValue(BFValue);
for (a = 0; a < 69; a++) {
passwd[5] = BFValue[a];
for (b = 0; b < 69; b++)
{
passwd[4] = BFValue[b];
for (c = 0; c < 69; c++)
{
passwd[3] = BFValue[c];
for (d = 0; d < 69; d++) {
passwd[2] = BFValue[d];
for (e = 0; e < 69; e++) {
passwd[1] = BFValue[e];
for (f = 1; f < 69; f++) {
passwd[0] = BFValue[f];
//printf("nPasswd : %snn", passwd);
//printf("ncryptSalt : %snn", cryptSalt);
//printf("userName : %snn", hashID);
//printf("noroginHash : %snn", originHash);
printf("%s, %sn", passwd, userName);
//printf("%d, n", strcmp(originHash, crypt(passwd, cryptSalt)));
if (!strcmp(originHash, crypt(passwd, cryptSalt))) {
printf("n");
printf("[-] User Name : %s, Password : %sn", userName, passwd);
printf("n");
return 1;
}
}
}
}
}
}
}
return 0;
//printf("n[-] Decryption Failednn");
}
int main(int argc, char* argv[]) {
FILE* fd = NULL; // Shadow File Descripter
int i = 0; // Tempory Loop variable
char shadow[100][500] = { {NULL, } }; // List of Shadow File
char userName[30]; // User Name
int shadowIdx; // User name index in Shadow File
char* ptr; // Tempory char pointer
char *id; // User ID
char *hash, *hashID, *hashSalt, *hashValue;
char cryptSalt[100] = "$";
char originHash[100];
if (argc < 3) {
printf("n[!] Usage >>> sudo ./yu_cracker [Shadow File] [User Name]nn");
exit(1);
}
else if (argc == 3) {
fd = fopen(argv[1], "r");
if (fd == NULL) {
printf("n[!] Can't find Shadow File!!!nn");
exit(1);
}
while (!feof(fd)) {
fgets(shadow[i], 500, fd);
i++;
}
strcpy(userName, argv[2]); // Get User name
shadowIdx = findShadowIndex(userName, shadow);
if (!shadowIdx) {
printf("n[!] Can't find user name in Shadow Filenn");
exit(1);
}
ptr = strtok(shadow[shadowIdx - 1], ":");
id = ptr;
ptr = strtok(NULL, ":");
hash = ptr;
strcpy(originHash, hash);
ptr = strtok(hash, "$");
hashID = ptr;
ptr = strtok(NULL, "$");
hashSalt = ptr;
strcat(cryptSalt, hashID);
strcat(cryptSalt, "$");
strcat(cryptSalt, hashSalt);
ptr = strtok(NULL, "$");
hashValue = ptr;
printf("[+] Origin Hash >>> %snn", originHash);
printf("[+] Hash ID >>> %sn", hashID);
printf("[+] Salt >>> %sn", cryptSalt);
printf("[+] Hash Value >>> %snn", hashValue);
int result = bruteForcing(originHash, cryptSalt, userName);
}
else {
return 1;
}
}

这段代码是/etc/shadow 的简单暴力工具。

首先,在某处目录 &&&chmod 777 上复制/etc/shadow [SHADOW] 其次,从输入用户名(哈希 ID、哈希盐、哈希值)获取文件上的特定哈希值 然后,选择候选值并使用循环中的crypt函数(#include)计算哈希 如果计算出的哈希值与候选值相同,则打印解密文本并返回结果 它似乎工作正常,但在打印解密文本后出现分段错误 请您向我解释为什么会发生分段错误吗?

我希望这些代码和图片可以帮助您解决此问题

如何运行

结果

修复

我已经修复了您的代码,我将首先向您展示我的修改,然后我将解释它们:

您的findShadowIndex函数变为:

int findShadowIndex(char *inputUserName, char shadow[][500]) {
int i = 0; // Tempory Loop variable
while (shadow[i] != NULL) {
char currentShadowRow[500];
strcpy(currentShadowRow, shadow[i]);
if (!strcmp(inputUserName, strtok(currentShadowRow, ":"))) {
return i + 1;
}
i++;
}
return 0;
}

char originHash[100];变得char originHash[500];.

解释

findShadowIndex

findShadowIndex第一次迭代中,当您调用strcpy(userName, shadow[i]);时,您正在将字符从地址shadow[i]复制到内存位置userName。问题是char *userName;不代表您分配的内存,因此strcpy写入您不拥有的内存,从而导致段错误。

我的版本将您正在检查的当前阴影线复制到本地缓冲区(char currentShadowRow[500];),然后调用稍后使用的阴影strtok`` on the copy as to not modify the"数组。

originHash放大到 500 字节

originHash数组不够大,无法容纳所有哈希(我的密码哈希大于 100 个字符)。

工作版本

如果要复制/粘贴工作代码,请在此处:

// gcc -o OUTPUT Input.c -lcrypt
// Ubuntu 18.04 LTS
#include<stdio.h>
#include<stdlib.h>
#include<fcntl.h>
#include<string.h>
#include<unistd.h>
#include<crypt.h>
int findShadowIndex(char *inputUserName, char shadow[][500]) {
int i = 0; // Tempory Loop variable
while (shadow[i] != NULL) {
char currentShadowRow[500];
strcpy(currentShadowRow, shadow[i]);
if (!strcmp(inputUserName, strtok(currentShadowRow, ":"))) {
return i + 1;
}
i++;
}
return 0;
}
void setBFValue(char BFValue[]) {
int i, j = 0;
BFValue[j++] = '';
for (i = 48; i < 123; i++) {
if (i >= 58 && i <= 64)
continue;
else if (i >= 91 && i <= 96)
continue;
BFValue[j] = i;
j++;
}
BFValue[j++] = '!';
BFValue[j++] = '@';
BFValue[j++] = '#';
BFValue[j++] = '$';
BFValue[j++] = '%';
BFValue[j] = '^';
return;
}
int bruteForcing(char *originHash, char *cryptSalt, char *userName) {
int a = 0, b = 0, c = 0, d = 0, e = 0, f = 0;// Brute Force Loop variable
char passwd[7] = "";
char BFValue[100] = { '' }; // Brute Force Value
setBFValue(BFValue);
for (a = 0; a < 69; a++) {
passwd[5] = BFValue[a];
for (b = 0; b < 69; b++)
{
passwd[4] = BFValue[b];
for (c = 0; c < 69; c++)
{
passwd[3] = BFValue[c];
for (d = 0; d < 69; d++) {
passwd[2] = BFValue[d];
for (e = 0; e < 69; e++) {
passwd[1] = BFValue[e];
for (f = 1; f < 69; f++) {
passwd[0] = BFValue[f];
//printf("nPasswd : %snn", passwd);
//printf("ncryptSalt : %snn", cryptSalt);
//printf("userName : %snn", hashID);
//printf("noroginHash : %snn", originHash);
printf("%s, %sn", passwd, userName);
//printf("%d, n", strcmp(originHash, crypt(passwd, cryptSalt)));
if (!strcmp(originHash, crypt(passwd, cryptSalt))) {
printf("n");
printf("[-] User Name : %s, Password : %sn", userName, passwd);
printf("n");
return 1;
}
}
}
}
}
}
}
return 0;
//printf("n[-] Decryption Failednn");
}
int main(int argc, char* argv[]) {
FILE* fd = NULL; // Shadow File Descripter
int i = 0; // Tempory Loop variable
char shadow[100][500] = { '' }; // List of Shadow File
char userName[30]; // User Name
int shadowIdx; // User name index in Shadow File
char* ptr; // Tempory char pointer
char *id; // User ID
char *hash, *hashID, *hashSalt, *hashValue;
char cryptSalt[100] = "$";
char originHash[500];
if (argc < 3) {
printf("n[!] Usage >>> sudo ./yu_cracker [Shadow File] [User Name]nn");
exit(1);
}
else if (argc == 3) {
fd = fopen(argv[1], "r");
if (fd == NULL) {
printf("n[!] Can't find Shadow File!!!nn");
exit(1);
}
while (!feof(fd)) {
fgets(shadow[i], 500, fd);
i++;
}
strcpy(userName, argv[2]); // Get User name
shadowIdx = findShadowIndex(userName, shadow);
if (!shadowIdx) {
printf("n[!] Can't find user name in Shadow Filenn");
exit(1);
}
id = strtok(shadow[shadowIdx - 1], ":");
hash = strtok(NULL, ":");
strcpy(originHash, hash);
hashID = strtok(hash, "$");
hashSalt = strtok(NULL, "$");
strcat(cryptSalt, hashID);
strcat(cryptSalt, "$");
strcat(cryptSalt, hashSalt);
hashValue = strtok(NULL, "$");
printf("[+] Origin Hash >>> %snn", originHash);
printf("[+] Hash ID >>> %sn", hashID);
printf("[+] Salt >>> %sn", cryptSalt);
printf("[+] Hash Value >>> %snn", hashValue);
int result = bruteForcing(originHash, cryptSalt, userName);
} else {
return 1;
}
}

我希望这回答了您的所有问题!

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium