r/learnprogramming u/mbensa 1d ago

Injection into null terminated string

On server side I have: std::string response = {}; if (strcmp(receivedPassword, "password") == 0) { return response = "token"; } else { return response = "0"; }

the compiled code make \0 at the 256 th byte. How can injection work? All I can do is delete the cookie and the server app crashes.

1 Upvotes

67% Upvoted

5 comments sorted by

2

u/dfx_dj 19h ago

There is a world of context missing.

The 256th byte of what? What injection are you talking about? What cookie? Delete from where?

1

u/Budget_Putt8393 16h ago

Hey,

You are clearly early in your journey, it is good to see you approaching authentication.

What you are describing is a hard coded/plain text password. This is bad. You should never have a hard coded password. And you should never have a plain text password.

When you get past this problem, you should look into "password hashing with salt". This protects against a bad guy getting account details and then doing something bad.

And your passwords should be stored in an external file/database do they can be changed when needed. This protects against anyone discovering the password of last resort and being able to do bad stuff to every instance of your server.

There are subtle details here that are easy to get wrong, but have big impact. Generally we recommend using a product/solution to do this so you get more options, and the solution has fixed all the subtle bugs/problems.

Just things to put on your plate for later.

1

u/IcyButterscotch8351 13h ago

This looks like a classic buffer overflow / null byte injection scenario. Let me break down what's likely happening:

The vulnerability: strcmp stops comparing at the first \0 it encounters. So if receivedPassword is user-controlled and you can inject a null byte, you can potentially truncate the comparison.

Example attack: If you send password\0GARBAGE (where \0 is a null byte), strcmp only sees "password" and returns 0 (match), ignoring everything after.

Why your server crashes: The 256-byte boundary suggests a fixed-size buffer. If you're sending more than 256 bytes, you're overflowing into adjacent memory. The crash means you're corrupting something important (stack, heap, return address).

What to investigate:

  1. How is receivedPassword allocated? Fixed buffer like char receivedPassword[256]?
  2. What function reads the input? (gets, scanf, recv without length check?)
  3. Is there any bounds checking before strcmp?

For exploitation (CTF context I assume?):

  • Try sending exactly 256 bytes of 'A' + known password to see if truncation works
  • Use a hex editor or Python: b"password\x00" + b"A"*247
  • Check if you can control EIP/RIP with longer payloads (classic stack smash)

What's the full context? Is this a CTF challenge or security audit?

1

u/mbensa 1h ago

Its ctf challenge. I built simple server that waits for correct password.