/
vuln.c
102 lines (81 loc) · 1.63 KB
/
vuln.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define PAGE_SIZE 0x1000
#define PORT 7777
// in .bss
char data[PAGE_SIZE * 2];
void init();
void handle_error(char *);
int handle_conn(int);
int welcome(int);
void init()
{
struct sockaddr_in sa;
int s, c, size, k = 1;
sa.sin_family = AF_INET;
sa.sin_port = htons(PORT);
sa.sin_addr.s_addr = INADDR_ANY;
size = sizeof(struct sockaddr);
if((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
handle_error("socket failed\n");
}
if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &k, sizeof(int)) == -1) {
handle_error("setsockopt failed\n");
}
if(bind(s, (struct sockaddr *)&sa, size)) {
handle_error("bind failed\n");
}
if(listen(s, 3) < 0) {
handle_error("listen failed\n");
}
while(1) {
if((c = accept(s, (struct sockaddr *)NULL, NULL)) < 0) {
handle_error("accept failed\n");
}
handle_conn(c);
}
}
int handle_conn(int c)
{
char input[0x400];
int amt;
//too large data !!!
if((amt = read(c, input, PAGE_SIZE) < 0)) {
handle_error("receive failed\n");
}
memcpy(data, input, PAGE_SIZE);
welcome(c);
close(c);
return 0;
}
int welcome(int c)
{
int amt;
const char *msg = "I'm vulnerable program running with root priviledges!!\nPlease do not exploit me";
write(c, msg, strlen(msg));
if((amt = write(c, data, strlen(data))) < 0) {
handle_error("send failed\n");
}
return 0;
}
void handle_error(char *msg)
{
perror(msg);
exit(-1);
}
void gadget()
{
asm("mov $0xf,%rax\n");
asm("retq\n");
}
int main()
{
init();
return 0;
}