#include #include #include #include #define MAX_LINE 10 #define LISTENQ 100 #define INIT_VALUE 0 #include int sampleGlobal; /* A demonstration of vulnerable buffer code, the system version checks the length against a calling paramter. */ int badRead( int fd, char *buf ); int main(int argc, char **argv) { int welcomeSocket, connectionSocket, bytesRead, baseport = 6789; struct sockaddr_in servaddr; int preTargetInt = INIT_VALUE; char preTargetString[MAX_LINE] = ""; char clientSentence[MAX_LINE]; char postTargetString[MAX_LINE] = ""; int postTargetInt = INIT_VALUE; char * heapString, *heapString2; servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl(INADDR_ANY); servaddr.sin_port = htons(baseport); heapString = malloc(MAX_LINE*sizeof(char)); heapString2 = malloc(MAX_LINE*sizeof(char)); printf("Address of the main function is: %p\n", &main); printf("Address of the badRead function is: %p\n", &badRead); printf("Address of the global, sampleGlobal is: %p\n", &sampleGlobal); printf("Address of the local, preTargetInt is: %p\n", &preTargetInt); printf("Address of the local, postTargetInt is: %p\n", &postTargetInt); printf("Address of the local, clientSentence is: %p\n", &clientSentence); printf("Address of the local, clientSentence is: %p\n", clientSentence); printf("Address of the local, preTargetString is: %p\n", &preTargetString); printf("Address of the local, postTargetString is: %p\n", &postTargetString); printf("Address of first heap allocated string is: %p\n", heapString); printf("Address of second heap allocated string is: %p\n", heapString2); welcomeSocket = socket(AF_INET, SOCK_STREAM, 0); while( bind(welcomeSocket, (struct sockaddr *) &servaddr, sizeof(servaddr)) ) { baseport++; servaddr.sin_port = htons(baseport); } printf( "Bound to port %i\n", baseport ); listen(welcomeSocket, LISTENQ); while(1) { connectionSocket = accept(welcomeSocket, (struct sockaddr *) NULL, NULL); printf("\nNew connection made.........\n"); /* bytesRead = read(connectionSocket, clientSentence, MAX_LINE); */ bytesRead = badRead(connectionSocket, clientSentence); /* PUT A BREAK POINT ON THE NEXT LINE - AFTER badRead */ printf( "Recieved: %s, reported length: %i\n", clientSentence, bytesRead ); write(connectionSocket, &clientSentence, bytesRead); write(connectionSocket, "\n", 1); close(connectionSocket); printf( "preTargetInt is: %i, it should be %i \n", preTargetInt, INIT_VALUE ); printf( "postTargetInt is: %i, it should be %i \n", postTargetInt, INIT_VALUE ); printf( "preTargetString: %s\n", preTargetString ); printf( "postTargetString: %s\n", postTargetString ); } close(welcomeSocket); } /* A demonstration of vulnerable buffer code, the system version checks the lenght against a calling paramter. */ int badRead( int fd, char *buf ) { char c; int size, length = 0; printf("Address of the local, c is: %p\n", &c); printf("Address of the local, size is: %p\n", &size); printf("Address of the local, length is: %p\n", &length); while(1) { /* read a single character from the socket */ /* PUT A BREAK POINT ON THE NEXT LINE print buf print x/60c buf associate this with breakpoint with command print buf print x/60c buf end */ if ( (size = read(fd, &c, 1)) == 1 ) { /* make sure we really read a character */ if( size == 1 ) { /* make sure we arent actually done reading */ if( c == '\n' || c == '\r' ) { *(buf + length) = '\0'; return length; } else { *(buf + length) = c; length++; } } } } return length; }