Created
March 24, 2024 08:07
-
-
Save 7etsuo/a07529c4def45daac443eb93bf349803 to your computer and use it in GitHub Desktop.
Exploitable program
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * ______ _______ _________ _______ | |
| * / ___ \ ( ____ \\__ __/( ____ \|\ /| | |
| * \/ ) )| ( \/ ) ( | ( \/| ) ( | | |
| * / / | (__ | | | (_____ | | | | | |
| * / / | __) | | (_____ )| | | | | |
| * / / | ( | | ) || | | | | |
| * / / | (____/\ | | /\____) || (___) | | |
| * \_/ (_______/ )_( \_______)(_______) | |
| * | |
| */ | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <winsock2.h> | |
| #include <ws2tcpip.h> | |
| #pragma warning(disable : 4996) // We use _CRT_SECURE_NO_WARNINGS here otherwise it will complain about using strcpy() | |
| #pragma comment(lib, "Ws2_32.lib") | |
| #define PORT 12345 | |
| #define BUFFER_SIZE 1024 | |
| #pragma optimize("", off) | |
| void gadget1(void) | |
| { | |
| __asm { | |
| mov[eax], ecx | |
| ret | |
| }; | |
| } | |
| void gadget2(void) | |
| { | |
| __asm { | |
| add eax, ecx | |
| ret | |
| }; | |
| } | |
| void gadget3(void) | |
| { | |
| __asm { | |
| neg eax | |
| ret | |
| }; | |
| } | |
| void gadget4(void) | |
| { | |
| __asm { | |
| inc eax | |
| ret | |
| }; | |
| } | |
| void gadget5(void) | |
| { | |
| __asm { | |
| mov eax, esi | |
| pop esi | |
| ret | |
| }; | |
| } | |
| void gadget6(void) | |
| { | |
| __asm { | |
| mov ecx, eax | |
| mov eax, esi | |
| pop esi | |
| retn 0x0010 | |
| }; | |
| } | |
| void gadget7(void) | |
| { | |
| __asm { | |
| pop eax | |
| ret | |
| }; | |
| } | |
| void gadget8(void) | |
| { | |
| __asm { | |
| pop ecx | |
| ret | |
| }; | |
| } | |
| void gadget9(void) | |
| { | |
| __asm { | |
| push eax | |
| pop esi | |
| ret | |
| }; | |
| } | |
| void gadgetA(void) | |
| { | |
| __asm { | |
| push esp | |
| pop esi | |
| ret | |
| }; | |
| } | |
| void gadgetB(void) | |
| { | |
| __asm { | |
| xchg eax, esp | |
| ret | |
| }; | |
| } | |
| void vulnerable(char* input, size_t size) | |
| { | |
| char buffer[128]; | |
| memcpy(buffer, input, size); // Vulnerable function call | |
| } | |
| int main(int argc, char** argv) | |
| { | |
| WSADATA wsaData; | |
| SOCKET listenSocket = INVALID_SOCKET, clientSocket = INVALID_SOCKET; | |
| struct sockaddr_in serverAddr; | |
| char recvBuffer[BUFFER_SIZE]; | |
| int recvSize; | |
| // Initialize Winsock | |
| if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) { | |
| printf("WSAStartup failed. Error: %d\n", WSAGetLastError()); | |
| return 1; | |
| } | |
| // Create a socket | |
| listenSocket = socket(AF_INET, SOCK_STREAM, 0); | |
| if (listenSocket == INVALID_SOCKET) { | |
| printf("Socket creation failed. Error: %d\n", WSAGetLastError()); | |
| WSACleanup(); | |
| return 1; | |
| } | |
| // Bind the socket | |
| serverAddr.sin_family = AF_INET; | |
| serverAddr.sin_addr.s_addr = INADDR_ANY; | |
| serverAddr.sin_port = htons(PORT); | |
| if (bind(listenSocket, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) == SOCKET_ERROR) { | |
| printf("Bind failed. Error: %d\n", WSAGetLastError()); | |
| closesocket(listenSocket); | |
| WSACleanup(); | |
| return 1; | |
| } | |
| // Listen for connections | |
| if (listen(listenSocket, SOMAXCONN) == SOCKET_ERROR) { | |
| printf("Listen failed. Error: %d\n", WSAGetLastError()); | |
| closesocket(listenSocket); | |
| WSACleanup(); | |
| return 1; | |
| } | |
| printf("Listening on port %d...\n", PORT); | |
| // Accept a client connection | |
| clientSocket = accept(listenSocket, NULL, NULL); | |
| if (clientSocket == INVALID_SOCKET) { | |
| printf("Accept failed. Error: %d\n", WSAGetLastError()); | |
| closesocket(listenSocket); | |
| WSACleanup(); | |
| return 1; | |
| } | |
| // Receive data from the client | |
| recvSize = recv(clientSocket, recvBuffer, BUFFER_SIZE - 1, 0); | |
| if (recvSize == SOCKET_ERROR) { | |
| printf("Recv failed. Error: %d\n", WSAGetLastError()); | |
| closesocket(clientSocket); | |
| closesocket(listenSocket); | |
| WSACleanup(); | |
| return 1; | |
| } | |
| recvBuffer[recvSize] = '\0'; // Null-terminate the received data | |
| // Process the received data | |
| vulnerable(recvBuffer, recvSize); | |
| printf("Executed normally\n"); | |
| // Cleanup | |
| closesocket(clientSocket); | |
| closesocket(listenSocket); | |
| WSACleanup(); | |
| return 0; | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment