patch for crunch.c

There exists a bug in crunch version 1.8 where junk characters from memory will be output because of improper string initialization.

For example: ./crunch 1 1 abcdefghijklmnopqrstuvwxyz0123456789 will output 37 lines, the last one being junk from memory. The problem exists with any length of output chosen. If you modify the charset then sometimes memory will be initialized in a way that this issue won't be seen (for example, calloc might jump to memory a few bytes forward).

Here is a patch:

Code:

---

--- crunch.c_orig        2010-01-26 16:16:50.000000000 -0600
+++ crunch.c        2010-01-26 16:18:55.000000000 -0600
@@ -272,7 +272,7 @@
 FILE *optr;        /* ptr to output file */
 errno=0;
 
-  block = (char*) calloc(end,sizeof(char)); /* block can't be bigger than max size */
+  block = (char*) calloc(end+1,sizeof(char)); /* block can't be bigger than max size */
  if (block == NULL) {
    printf("crunch: can't allocate memory for block\n");
    exit(EXIT_FAILURE);
@@ -492,7 +492,7 @@
  }
 
  if ((argc >= 4) && (strncmp(argv[3],"-",1) != 0)) { /*test for ./crunch 1 2 -? */
-    charset = (char*) calloc(strlen(argv[3]),sizeof(char)); /* user specified charset */
+    charset = (char*) calloc(strlen(argv[3])+1,sizeof(char)); /* user specified charset */
    if (charset == NULL) {
      printf("crunch: can't allocate memory for charset\n");
      return -1;

---

Cool, Ill review,test and add it.

How odd I missed that. The patch works for me and I have applied it to my copy. I have also make a slight improvement to crunch. There are two permute functions and I was able to get it down to one. This post has lead me to do some additional tests and I found a few more minor problems. Pureh@te can add the patch and deploy it while I continue to work on these bugs.

Thanks,

Rock on, thanks for the work bofh28.

Please link me to the sources you used to patch. I can not seem to make it apply to the source I have in the repo.


EDIT: So looks like 1.8 is the latest version but I can not get the patch to apply. Can you show me what -p option you are using or just the whole command rather?

Opps, I pasted the diff, not the patch. This should work (cd /pentest/passwords/crunch && patch -p1 -i crunch.patch):

Code:

---

diff -crB crunch/crunch.c crunch2/crunch.c
*** crunch/crunch.c        2010-01-26 16:16:50.000000000 -0600
--- crunch2/crunch.c        2010-01-26 22:31:33.000000000 -0600
***************
*** 272,278 ****
  FILE *optr;        /* ptr to output file */
  errno=0;
 
!  block = (char*) calloc(end,sizeof(char)); /* block can't be bigger than max size */
    if (block == NULL) {
      printf("crunch: can't allocate memory for block\n");
      exit(EXIT_FAILURE);
--- 272,278 ----
  FILE *optr;        /* ptr to output file */
  errno=0;
 
!  block = (char*) calloc(end+1,sizeof(char)); /* block can't be bigger than max size */
    if (block == NULL) {
      printf("crunch: can't allocate memory for block\n");
      exit(EXIT_FAILURE);
***************
*** 492,498 ****
    }
 
    if ((argc >= 4) && (strncmp(argv[3],"-",1) != 0)) { /*test for ./crunch 1 2 -? */
!    charset = (char*) calloc(strlen(argv[3]),sizeof(char)); /* user specified charset */
      if (charset == NULL) {
        printf("crunch: can't allocate memory for charset\n");
        return -1;
--- 492,498 ----
    }
 
    if ((argc >= 4) && (strncmp(argv[3],"-",1) != 0)) { /*test for ./crunch 1 2 -? */
!    charset = (char*) calloc(strlen(argv[3])+1,sizeof(char)); /* user specified charset */
      if (charset == NULL) {
        printf("crunch: can't allocate memory for charset\n");
        return -1;

---

Sorry, feel like the answer should be right in front of me, but patching isn't working for me...

/pentest/passwords/crunch# patch -p1 -i crunch.patch

Code:

---

patching file crunch.c
Hunk #1 FAILED at 272.
Hunk #2 FAILED at 492.
2 out of 2 hunks FAILED -- saving rejects to file crunch.c.rej

---

Thanks in advance.

I have applied the patch to the package in the repo so just hang on a day or so for the update

how could I get a file from crunch with words of 24 char without an n number of repeated char for ex. not a word like aaaabbbbccccddddddeeeeee crunch generetes a lot of non useful words like aaaaaaaaaaaaaaaaaaaaaaaa

you can't. crunch will generate every combination of letters that you specify. you could try the -p option which will generate permutations instead of combinations but it only generates words the length of the character set. i.e. if you use the lower case alphabet for the English language that is 26 characters so the length of the resulting words will also be 26. I am not sure it is possible to do permutations that are shorter than the input character set.