xorl %eax, %eax

Archive for the ‘C programming’ Category

C Quiz No. 2

with one comment

Continuing from the first one back in 2009, here is another that a friend of mine send me yesterday.

The concept is that you are free to put whatever you want in do_your_stuff() in order to make it print “win” from function do_my_stuff().

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>

void 
do_your_stuff(void)
{
	// do whatever you want
}

void 
do_my_stuff(void)
{
	char c[100];
	unsigned int i, r_index;

	srand(time(NULL));
	for(i = 0; i<1000; i++)
		r_index = rand() % (sizeof(c) - 1);

	printf("c[%u] = %02x\n", r_index, c[r_index]);

	if (c[r_index] == 0x20)
		printf("win!\n");
	else
		printf("fail\n");
	
	return;
}

int 
main(void)
{
	do_your_stuff();
	do_my_stuff();
	return 0;
}

Instantly I came up with a quite simple solution that exploits the concept of uninitialized stack that it’s being used.

void 
do_your_stuff(void)
{
	char buf[2048]; int i;
	for(i=0; i<sizeof(buf); i++) buf[i] = 0x20;
}

Which it works…

$ ./cquiz2
c[98] = 00
fail
$ ./cquiz2
c[81] = 7f
fail
$ gcc -Wall -Werror --std=c99 cquiz2.c -o cquiz_sol
$ ./cquiz_sol
c[43] = 20
win!
$ ./cquiz_sol
c[54] = 20
win!
$

I found it fun so if you have any other solutions feel free to comment on this post.

Advertisements

Written by xorl

May 18, 2013 at 16:44

Posted in C programming, fun

irssi CTCP VERSION patch

with 4 comments

Well, I couldn’t sleep and I wrote a tiny little patch for irssi that changes the CTCP VERSION replies at will using a file at ~/.irssi/. It’s not anything special but if anyone is interested it’s this…

--- src/irc/core/ctcp.h 2009-03-31 23:50:02.000000000 +0300
+++ src/irc/core/ctcp.h.new     2009-04-25 05:57:49.000000000 +0300
@@ -1,6 +1,9 @@
 #ifndef __CTCP_H
 #define __CTCP_H

+#define FUCKING_CTCP_VER_FILE "/home/xorl/.irssi/os_huhu_file.txt"
+#define AWESOMENESS 313
+
 /* Register/unregister CTCP command, so it shows in CTCP CLIENTINFO */
 void ctcp_register(const char *name);
 void ctcp_unregister(const char *name);

--- src/irc/core/ctcp.c 2009-03-31 23:50:02.000000000 +0300
+++ src/irc/core/ctcp.c.new     2009-04-25 05:57:43.000000000 +0300
@@ -29,14 +29,42 @@
 #include "servers-idle.h"
 #include "ignore.h"
 #include "ctcp.h"
+#include <sys/types.h>

 typedef struct {
        char *name;
         int refcount;
 } CTCP_CMD_REC;

+static unsigned char ctcp_os_version_buf[AWESOMENESS];
 static GSList *ctcp_cmds;

+static void
+are_you_talking_to_me(void)
+{
+       FILE *fd;
+       size_t len = 0;
+       unsigned char c;
+
+       memset(&ctcp_os_version_buf, 0, sizeof(ctcp_os_version_buf));
+       fd = fopen(FUCKING_CTCP_VER_FILE, "r");
+       if (fd == NULL)
+         snprintf(ctcp_os_version_buf, sizeof(ctcp_os_version_buf), "Choo Choo IRC");
+       else
+       {
+         do {
+               c = getc(fd);
+               ctcp_os_version_buf[len] = c;
+               len++;
+         } while (c != '\n' && c != EOF && len < sizeof(ctcp_os_version_buf));
+           ctcp_os_version_buf[--len] = '';
+       }
+
+       if (fd)
+         fclose(fd);
+       return;
+}
+
 static CTCP_CMD_REC *ctcp_cmd_find(const char *name)
 {
        GSList *tmp;
@@ -167,8 +195,8 @@ static void ctcp_send_parsed_reply(IRC_S
 static void ctcp_version(IRC_SERVER_REC *server, const char *data,
                         const char *nick)
 {
-       ctcp_send_parsed_reply(server, nick, "VERSION",
-                              settings_get_str("ctcp_version_reply"));
+       are_you_talking_to_me();
+       ctcp_send_parsed_reply(server, nick, "VERSION", ctcp_os_version_buf);
 }

 /* CTCP time */


I wrote it in 10 minutes or so.. So, it’s not perfect. Nevertheless, if you want to use it then you’ll have to compile it with 0.8.13 release of irssi.

P.S.: ithilgore… no bzero() man :-P

P.S.2: I just realized that wordpress parses and removes the NULL (slash zero) character. Look at ctcp_os_version_buf[–len] = ”; there was a slash zero there… lol

Written by xorl

April 25, 2009 at 03:09

Function Re-Ordering (Software Engineering)

leave a comment »

Well, this is not one of my favorite concepts but I came across a really interesting (and old but that’s irrelevant) thread from Linux kernel developers. It seems like function reordering works. Of course, everyone should be expecting this when you have projects like operating system’s kernel which is composed by million lines of code. Jumps through different code paths can be more efficient if they’ve implemented with short jumps which means that functions are close to each other in the machine code. Even though modern processors provide features such as branch prediction I still believe it’s a good software engineering practice to order your functions according to their use.

Written by xorl

March 11, 2009 at 15:22

Posted in C programming

NULL… Just an address

with one comment

Recently I was reading a thread of people discussing NULL pointer dereference exploitation and said numerous _stupid_ things like “it strictly depends on the CPU architecture“, “it can only be DoS” etc. Well, for sure not all NULL pointer dereferences are exploitable but it’s kind of funny that people don’t get concepts which are publicly available at least since 1994. For example, the first release of the Openwall Linux had protection against mapping of NULL, there are public exploit codes that use this technique at least since 1994. Even basic operating systems design books or can tell you that NULL is just some constant of your choice. On most modern operating systems this address is usually 0 but this is not always the case.
In addition, recently the Linux kernel provided a security patch against malicious mappings on the first pages but this can break emulators so it is optional from the procfs. Its name is MMAP_MIN_ADDR and it can be found under /proc/sys/vm/ in newer kernels.
Anyway, here is a completely stupid code to demonstrate that NULL is nothing more than a valid location on the first page of the system.

#include <stdio.h>
#include <string.h>
#include <sys/mman.h>

int
main(void)
{
 char *ptr, data[25];
 sprintf(data, "Hello world from NULL.");

 ptr = mmap(NULL, sizeof(data), PROT_READ|PROT_WRITE, \
            MAP_ANONYMOUS|MAP_FIXED|MAP_SHARED,       \
 	   -1, 0);

 if (ptr == (void *)-1)
 {
    printf("fail @ mmap\n");
    return -1;
 }

 memcpy(ptr, data, sizeof(data));

 /* LOOK AT THIS PLEASE */
 printf("%s\n", NULL);

 munmap(NULL, sizeof(data));
 return 0;
}


I know this is retarded but it’s just some stupid code to demonstrate that NULL is nothing special for the operating system. You can treat it as any other address, if a pointer dereference is exploitable then almost certainly the same pointer dereference would be exploitable if it was on NULL.

sh-3.1$ gcc -Wall crap.c -o crap
crap.c: In function ‘main’:
crap.c:24: warning: reading through null pointer (argument 2)
crap.c:24: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘void *’
sh-3.1$ ./crap
Hello world from NULL.
sh-3.1$

I just used -Wall to show that printf is actually reading from NULL which is a void * according to GCC. This is defined at linux/stddef.h like this:

#undef NULL
#if defined(__cplusplus)
#define NULL 0
#else
#define NULL ((void *)0)
#endif


Please people.. Stop treating NULL usage as something different than any other pointer dereference, dangling pointer, invalid pointer access etc. Apart from protections against mappings such as the Openwall, GRSecurity/PaX, mmap_min_addr etc. NULL has nothing different than any other pointer.

P.S. 1: I know that NULL pointer dereference stands for an offset from NULL but in most cases the same logic applies to those as well.

P.S. 2: Of course there are more elegant ways for doing this than the common mmap(2) call but this was just a demonstration.

Written by xorl

March 11, 2009 at 12:12

Posted in C programming, security

Funny C programming interview questions

with 14 comments

I was having a look at a really nice site which you can find here. It has numerous technical job interview questions. Most of them are just basic questions for programming, algorithms, mathematics, data structures, problem solving etc. but the last one from the C programming questions was pretty cool. It was this (hope it still is):

Are there legal ways of solving this problem? If there isn’t, can it be solved on some systems vs. others using non-standard means?

#include <stdio.h>
#include <stdlib.h>

void foo(void);

int main (void)
{       
        int i=2;
        foo();
        printf ("%d\n",i);
        return EXIT_SUCCESS;
}
void foo(void)
{
    // add code so that printf above prints d
}

The funny part about this is that the replies posted are crappy and say that there is no way of doing that!! Of course there is at least one way!!! :P Here is the easiest one..
Just trick foo() to get the into the old stack frame and change the value of variable ‘i‘ which can be easily found using an offset from the base pointer. Of course, my code works just on Linux/x86 but using some #ifdef you can make it support any platform you know. Here is the code:

#include <stdio.h>
#include <stdlib.h>

void foo(void);

int main (void)
{
        int i=2;
        foo();
        printf ("%d\n",i);
        return EXIT_SUCCESS;
}
void foo(void)
{
  __asm__("popl %ebp                     \n" /* get the stored base pointer         */
          "movl %ebp, %edx               \n" /* store it temporarily on EDX         */
          "movl $313, 0xfffffff8(%ebp)   \n" /* Insert whatever value you want on i */
          "movl %edx, %ebp               \n" /* restore the foo()'s base pointer    */
          "pushl %ebp"                    ); /* put back the original base pointer  */
}

And here it is on runtime:

sh-3.1$ gcc lol.c -o lol
sh-3.1$ ./lol
313
sh-3.1$

Of course there are more elegant ways for doing this but this was just a PoC to demonstrate that this is definitately feasible! :P

Message to the people who failed answering this question on a job interview:
Guys, I just hope you didn’t get the job! You suck!! :P Go back and study the essentials of systems’ programming now.

P.S.: Dear code auditors, I’m really really sorry for not posting anything interesting the past days but apart from the cool Adobe bug there was nothing notable to discuss. If you have any suggestions on recently disclosed vulnerabilities please contact me via email :)

Written by xorl

February 26, 2009 at 13:56

Posted in C programming, fun

C De-Obfuscation

leave a comment »

A lot of times I enjoy de-obfuscating popular obfuscated C codes since in most cases they use some really cool tricks. Here is a simple one I picked from IOCCC of 1984 (anonymous.c):

int i;main(){for(;i["]&lt;i;++i){--i;}"];read('-'-'-',i+++"hell\
o, world!\n",'/'/'/'));}read(j,i,p){write(j/p+p,i---j,i/i);}

At first it definitely looks obscure but if have a closer look you’ll see that it is just this:

int i;
main()
{ 
  for(; i["]&lt;i;++i){--i;}"]; read('-'-'-',i+++"hell\
  o, world!\n",'/'/'/'));
}

read(j,i,p)
{
   write(j/p+p, i---j, i/i);
}

Once again, some C programmers might find this difficult to understand. That’s because it uses a really clever condition statement trick in the for loop.  At last, here is the complete de-obfuscated code:

int i;
main()
{
  for( ;
       i["HELLO, WORLD!\n"];
       read(0, i++ + "hello, world!\n", 1)
    );
}

read(j, i, p)
{
   write(0, i--, 1);
}

It’s not that weird any more eh? That’s why I really like de-obfuscating C proggies :P

Written by xorl

February 23, 2009 at 01:18

Posted in C programming, fun

C Quiz No. 1

with 5 comments

This is a new category that I’m starting. You’re all welcome to express your ideas for the behavior of the programs. The first one is going to be really easy one.. So.. I have this nice prog.:

#include <stdio.h>

int
main(void)
{
  int *c;
  c = (int [4]){1,*c,3};
  printf("%d\n", c[3]);
  return 0;
}

But why do I get this output when I’m running it?

sh-3.1$ gcc quiz1.c -std=c99 -pedantic -Wall -o quiz1
sh-3.1$ ./quiz1
0
sh-3.1$

I believe that most C developers already know the answer.. Let’s see. In any case, I’m going to answer this question in about 36 hours from now :) Have fun!

Written by xorl

January 27, 2009 at 15:30

Posted in C programming, fun