Skip to content

Instantly share code, notes, and snippets.

@jonathanmarvens

jonathanmarvens/buffer-overrun-001.c

Created July 13, 2014 01:00
Show Gist options
  • Save jonathanmarvens/edf1cbef63471a369338 to your computer and use it in GitHub Desktop.
Save jonathanmarvens/edf1cbef63471a369338 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
buffer-overrun-001.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <signal.h>
#define PORT "7777" // the port users will be connecting to
#define BACKLOG 10 // how many pending connections queue will hold
void
vulnerable(char *net_buffer) {
char local_buffer[120];
strcpy(local_buffer, net_buffer);
return;
}
void
sigchld_handler(int s) {
while(waitpid(-1, NULL, WNOHANG) > 0);
}
// get sockaddr, IPv4 or IPv6:
void *
get_in_addr(struct sockaddr *sa) {
if (sa->sa_family == AF_INET) {
return &(((struct sockaddr_in *) sa)->sin_addr);
}
return &(((struct sockaddr_in6 *) sa)->sin6_addr);
}
int
main(void) {
int sockfd, new_fd; // listen on sock_fd, new connection on new_fd
struct addrinfo hints, *servinfo, *p;
struct sockaddr_storage their_addr; // connector's address information
socklen_t sin_size;
struct sigaction sa;
int yes = 1;
char in_buffer[20], out_buffer[20], net_buffer[2048];
char s[INET6_ADDRSTRLEN];
int rv;
memset(&hints, 0, sizeof hints);
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE; // use my IP
if ((rv = getaddrinfo(
NULL,
PORT,
&hints,
&servinfo
)) != 0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rv));
return 1;
}
// loop through all the results and bind to the first we can
for(p = servinfo; p != NULL; p = p->ai_next) {
if ((sockfd = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
perror("server: socket");
continue;
}
if (setsockopt(
sockfd,
SOL_SOCKET,
SO_REUSEADDR,
&yes,
sizeof(int)
) == -1) {
perror("setsockopt");
exit(1);
}
if (bind(sockfd, p->ai_addr, p->ai_addrlen) == -1) {
close(sockfd);
perror("server: bind");
continue;
}
break;
}
if (p == NULL) {
fprintf(stderr, "server: failed to bind\n");
return 2;
}
freeaddrinfo(servinfo); // all done with this structure
if (listen(sockfd, BACKLOG) == -1) {
perror("listen");
exit(1);
}
sa.sa_handler = sigchld_handler; // reap all dead processes
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if (sigaction(SIGCHLD, &sa, NULL) == -1) {
perror("sigaction");
exit(1);
}
printf("server: waiting for connections...\n");
while(1) { // main accept() loop
sin_size = sizeof(their_addr);
new_fd = accept(sockfd, (struct sockaddr *) &their_addr, &sin_size);
if (new_fd == -1) {
perror("accept");
continue;
}
inet_ntop(
their_addr.ss_family,
get_in_addr((struct sockaddr *) &their_addr),
s,
sizeof(s)
);
printf("server: got connection from %s\n", s);
if (! fork()) { // this is the child process
close(sockfd); // child doesn't need the listener
memset(net_buffer, 0, 1024);
strcpy(out_buffer, "HELO\nCOMMAND:");
if (send(new_fd, out_buffer, strlen(out_buffer), 0) == -1) {
perror("send");
}
if (recv(
new_fd,
net_buffer,
1024,
0
)) {
vulnerable(net_buffer);
strcpy(out_buffer, "RECV: ");
strcat(out_buffer, net_buffer);
send(new_fd, out_buffer, strlen(out_buffer), 0);
}
close(new_fd);
exit(0);
}
close(new_fd); // parent doesn't need this
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment