Remote format string!
/* * phoenix/final-one, by https://exploit.education * * Even more format string fun! * * The world's leading expert on European wasps walks into a record shop. He * asks the assistant “Do you have ‘European Vespidae Acoustics Volume 2? I * believe it was released this week.” * * “Certainly,” replies the assistant. “Would you like to listen before you buy * it?” * * "That would be wonderful," says the expert, and puts on a pair of * headphones. * * He listens for a few moments and says to the assistant, “I'm terribly sorry, * but I am the world's leading expert on European wasps and this is not * accurate at all. I don't recognize any of those sounds. Are you sure this is * the correct recording?” * * The assistant checks the turntable, and replies that it is indeed European * Vespidae Acoustics Volume 2. The assistant apologizes and lifts the needle * onto the next track. * * Again the expert listens for a few moments and then says to the assistant, * "No, this just can't be right! I've been an expert in this field for 43 * years and I still don't recognize any of these sounds." * * The assistant apologizes again and lifts the needle to the next track. * * The expert throws off the headphones as soon as it starts playing and is * fuming with rage. * * "This is outrageous false advertising! I am the world's leading expert on * European wasps and no European wasp has ever made a sound like the ones on * this record!" * * The manager of the shop overhears the commotion and walks over. * * "What seems to be the problem, sir?" * * "This is an outrage! I am the world's leading expert on European wasps. * Nobody knows more about them than I do. There is no way in hell that the * sounds on that record were made by European wasps!" * * The manager glances down and notices the problem instantly. * * "I'm terribly sorry, sir. It appears we've been playing you the bee side." */ #include <arpa/inet.h> #include <err.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <syslog.h> #include <unistd.h> #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" char username[128]; char hostname[64]; FILE *output; void logit(char *pw) { char buf[2048]; snprintf(buf, sizeof(buf), "Login from %s as [%s] with password [%s]\n", hostname, username, pw); fprintf(output, buf); } void trim(char *str) { char *q; q = strchr(str, '\r'); if (q) *q = 0; q = strchr(str, '\n'); if (q) *q = 0; } void parser() { char line[128]; printf("[final1] $ "); while (fgets(line, sizeof(line) - 1, stdin)) { trim(line); if (strncmp(line, "username ", 9) == 0) { strcpy(username, line + 9); } else if (strncmp(line, "login ", 6) == 0) { if (username[0] == 0) { printf("invalid protocol\n"); } else { logit(line + 6); printf("login failed\n"); } } printf("[final1] $ "); } } int testing; void getipport() { socklen_t l; struct sockaddr_in sin; if (testing) { strcpy(hostname, "testing:12121"); return; } l = sizeof(struct sockaddr_in); if (getpeername(0, (void *)&sin, &l) == -1) { err(1, "you don't exist"); } sprintf(hostname, "%s:%d", inet_ntoa(sin.sin_addr), ntohs(sin.sin_port)); } int main(int argc, char **argv, char **envp) { if (argc >= 2) { testing = !strcmp(argv[1], "--test"); output = stderr; } else { output = fopen("/dev/null", "w"); if (!output) { err(1, "fopen(/dev/null)"); } } setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("%s\n", BANNER); getipport(); parser(); return 0; }