11
This commit is contained in:
116
4/level11/level11.c
Normal file
116
4/level11/level11.c
Normal file
@@ -0,0 +1,116 @@
|
||||
// gcc -o level11 -no-pie -fstack-protector-all level11.c
|
||||
#include <arpa/inet.h>
|
||||
#include <errno.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
const uint16_t port = 4011;
|
||||
|
||||
void win(int fd) {
|
||||
// Connect stdin and stdout to the client socket,
|
||||
// so they can interact with the shell.
|
||||
dup2(fd, STDIN_FILENO);
|
||||
dup2(fd, STDOUT_FILENO);
|
||||
dup2(fd, STDERR_FILENO);
|
||||
|
||||
char *argv[2];
|
||||
argv[0] = "/bin/sh";
|
||||
argv[1] = NULL;
|
||||
execve(argv[0], argv, NULL);
|
||||
}
|
||||
|
||||
void prompt(int fd) {
|
||||
char buffer[32];
|
||||
send(fd, "What do you want to talk about?\n", 32, 0);
|
||||
recv(fd, buffer, 120, 0);
|
||||
}
|
||||
|
||||
void vuln(int fd) {
|
||||
prompt(fd);
|
||||
send(fd, "Bye.\n", 5, 0);
|
||||
}
|
||||
|
||||
// forking socket server with help from
|
||||
// https://github.com/pwning/docs/blob/master/fork_accept.c
|
||||
int main(int argc, char **argv) {
|
||||
// Setting the SIGCHLD handler to SIG_IGN prevents child
|
||||
// processes from becoming zombies (so you do not need to
|
||||
// call wait() on them).
|
||||
if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) {
|
||||
fputs("Failed to set SIGCHLD handler.", stderr);
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Create server socket.
|
||||
int server_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
if (server_sock < 0) {
|
||||
perror("socket");
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Set SO_REUSEADDR. Otherwise, if the server crashes for
|
||||
// any reason, you will have to wait for sockets to time
|
||||
// out before you can reuse the port.
|
||||
int opt = 1;
|
||||
if (setsockopt(server_sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) !=
|
||||
0) {
|
||||
perror("setsockopt");
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct sockaddr_in listen_addr = {0};
|
||||
bzero((char *)&listen_addr, sizeof(listen_addr));
|
||||
listen_addr.sin_family = AF_INET;
|
||||
listen_addr.sin_port = htons(port);
|
||||
if (inet_pton(AF_INET, "127.0.0.1", &listen_addr.sin_addr) <= 0) {
|
||||
perror("inet_pton");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (bind(server_sock, (struct sockaddr *)&listen_addr, sizeof(listen_addr)) !=
|
||||
0) {
|
||||
perror("bind");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (listen(server_sock, 5) != 0) {
|
||||
perror("listen");
|
||||
return 1;
|
||||
}
|
||||
|
||||
int client_sock;
|
||||
pid_t child_pid;
|
||||
while (1) {
|
||||
client_sock = accept(server_sock, NULL, NULL);
|
||||
if (client_sock < 0) {
|
||||
perror("accept");
|
||||
continue;
|
||||
}
|
||||
|
||||
child_pid = fork();
|
||||
if (!child_pid) {
|
||||
// Avoid tons of long-running processes sticking around.
|
||||
alarm(30);
|
||||
|
||||
// If you do not close the socket fd, someone who
|
||||
// exploits the service could call accept() on it and
|
||||
// hijack other people's connections.
|
||||
close(server_sock);
|
||||
|
||||
// Call the vulnerable code with the client socket.
|
||||
vuln(client_sock);
|
||||
close(client_sock);
|
||||
return 0;
|
||||
} else {
|
||||
// If you forget to close the client fd, you could run
|
||||
// out of file descriptors.
|
||||
close(client_sock);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user