| skipped 2 lines |
3 | 3 | | // William Moody, 06.06.2021 |
4 | 4 | | |
5 | 5 | | // Compile (DEP, ASLR enabled): |
6 | | - | // gcc main.c -o main.exe -l ws2_32 '-Wl,--nxcompat,--dynamicbase,--export-all-symbols' |
| 6 | + | // gcc main.c -o main.exe -l ws2_32 '-Wl,--nxcompat,--dynamicbase' |
7 | 7 | | |
8 | 8 | | #include <stdio.h> |
9 | 9 | | #include <stdlib.h> |
10 | 10 | | #include <unistd.h> |
11 | 11 | | #include <winsock2.h> |
12 | 12 | | #include <windows.h> |
| 13 | + | #include <memory.h> |
13 | 14 | | #include <time.h> |
14 | 15 | | |
15 | 16 | | #pragma comment(lib, "ws2_32.lib") |
| skipped 1 lines |
17 | 18 | | #define VERSION 10 |
18 | 19 | | #define DEFAULT_PORT 3700 |
19 | 20 | | #define MAX_CONNECTIONS 1 |
20 | | - | #define BUF_SIZE 8192 |
| 21 | + | #define BUF_SIZE 16384 |
21 | 22 | | #define QUOTE_SIZE 2048 |
22 | 23 | | #define MAX_NUM_QUOTES 100 |
23 | 24 | | |
24 | | - | /** |
25 | | - | * Packet structure which is used for all communication |
26 | | - | * from the client to the server: |
27 | | - | * |
28 | | - | * unsigned int opcode; |
29 | | - | * char data[8192]; |
30 | | - | * |
31 | | - | * ---------------------------------------------------- |
32 | | - | * |
33 | | - | * ... server to the client: |
34 | | - | * |
35 | | - | * char data[8192]; |
36 | | - | */ |
37 | | - | |
38 | 25 | | // Array to hold quotes |
39 | 26 | | char quotes[MAX_NUM_QUOTES][QUOTE_SIZE]; |
40 | 27 | | int num_quotes; |
| skipped 21 lines |
62 | 49 | | } |
63 | 50 | | |
64 | 51 | | /** |
65 | | - | * A mysterious function which never gets called... |
66 | | - | */ |
67 | | - | void foo() |
68 | | - | { |
69 | | - | asm ( |
70 | | - | "inc %eax\n" |
71 | | - | "inc %ebx\n" |
72 | | - | "inc %ecx\n" |
73 | | - | "ret" |
74 | | - | ); |
75 | | - | } |
76 | | - | |
77 | | - | /** |
78 | 52 | | * Adds a quote |
79 | 53 | | * |
80 | 54 | | * @param quote The quote to add to the db |
81 | 55 | | * @returns index of the quote which was added |
82 | 56 | | */ |
83 | | - | int add_quote(char* quote) |
| 57 | + | int add_quote(char *quote) |
84 | 58 | | { |
85 | 59 | | printf("[?] Adding quote to db..."); |
86 | 60 | | memset(quotes[num_quotes], 0, QUOTE_SIZE); |
| skipped 52 lines |
139 | 113 | | } |
140 | 114 | | |
141 | 115 | | /** |
| 116 | + | * Logs a bad request for debugging purposes |
| 117 | + | * |
| 118 | + | * @param request The request which was made |
| 119 | + | */ |
| 120 | + | void log_bad_request(char *request) |
| 121 | + | { |
| 122 | + | char bad_request[QUOTE_SIZE]; |
| 123 | + | memset(bad_request, 0, QUOTE_SIZE); |
| 124 | + | memcpy(bad_request, request, BUF_SIZE); |
| 125 | + | printf("....[%d] invalid request=%s\n", GetCurrentThreadId(), bad_request); |
| 126 | + | } |
| 127 | + | |
| 128 | + | /** |
142 | 129 | | * Thread - Handles a client connection |
143 | 130 | | * |
144 | 131 | | * @param sock The client socket |
| skipped 22 lines |
167 | 154 | | |
168 | 155 | | printf("....[%d] opcode=%d\n", GetCurrentThreadId(), opcode); |
169 | 156 | | |
170 | | - | // Create a bufer to hold response |
| 157 | + | // Create a buffer to hold response |
171 | 158 | | char response[BUF_SIZE]; |
172 | 159 | | memset(response, 0, BUF_SIZE); |
173 | 160 | | unsigned response_size = 0; |
174 | 161 | | |
175 | 162 | | // Some definitions for variables used |
176 | 163 | | // in the switch statement |
177 | | - | char* quote; |
| 164 | + | char *quote; |
178 | 165 | | unsigned int quote_index; |
179 | 166 | | char new_quote[QUOTE_SIZE]; |
180 | 167 | | char *index_out_of_bounds_msg = "INDEX_OUT_OF_BOUNDS"; |
| skipped 2 lines |
183 | 170 | | |
184 | 171 | | switch (opcode) |
185 | 172 | | { |
186 | | - | case 900: ; |
| 173 | + | case 900:; |
187 | 174 | | // Ask for a random quote |
188 | 175 | | time_t t; |
189 | | - | srand((unsigned) time(&t)); |
| 176 | + | srand((unsigned)time(&t)); |
190 | 177 | | response_size = get_quote(rand() % num_quotes, "e); |
191 | 178 | | memcpy(response, quote, response_size); |
192 | 179 | | break; |
193 | | - | case 901: ; |
| 180 | + | case 901:; |
194 | 181 | | // Ask for a specific quote |
195 | 182 | | memcpy("e_index, (void *)(buf + 4), sizeof(unsigned int)); |
196 | 183 | | |
| skipped 8 lines |
205 | 192 | | memcpy(response, quote, response_size); |
206 | 193 | | } |
207 | 194 | | break; |
208 | | - | case 902: ; |
| 195 | + | case 902:; |
209 | 196 | | // Add a new quote |
210 | 197 | | if (num_quotes < MAX_NUM_QUOTES) |
211 | 198 | | { |
| skipped 8 lines |
220 | 207 | | memcpy(response, max_quotes_reached_msg, response_size); |
221 | 208 | | } |
222 | 209 | | break; |
223 | | - | case 903: ; |
| 210 | + | case 903:; |
224 | 211 | | // Update a specific quote |
225 | 212 | | memcpy("e_index, (void *)(buf + 4), sizeof(unsigned int)); |
226 | 213 | | |
| skipped 7 lines |
234 | 221 | | update_quote(quote_index, buf + 8); |
235 | 222 | | } |
236 | 223 | | break; |
237 | | - | case 904: ; |
| 224 | + | case 904:; |
238 | 225 | | // Delete a specific quote |
239 | 226 | | memcpy("e_index, (void *)(buf + 4), sizeof(unsigned int)); |
240 | 227 | | |
| skipped 7 lines |
248 | 235 | | delete_quote(quote_index); |
249 | 236 | | } |
250 | 237 | | break; |
251 | | - | default: ; |
| 238 | + | default:; |
252 | 239 | | // Default case (invalid opcode). |
| 240 | + | log_bad_request(buf + 4); |
253 | 241 | | response_size = strlen(bad_request_msg); |
254 | 242 | | memcpy(response, bad_request_msg, strlen(bad_request_msg)); |
255 | 243 | | break; |
| skipped 31 lines |
287 | 275 | | banner(); |
288 | 276 | | |
289 | 277 | | // Init quote array |
| 278 | + | VirtualAlloc(quotes, sizeof(char[QUOTE_SIZE]) * MAX_NUM_QUOTES, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); |
290 | 279 | | memset(quotes, 0, sizeof(char[QUOTE_SIZE]) * MAX_NUM_QUOTES); |
291 | 280 | | num_quotes = 0; |
292 | 281 | | |
| skipped 76 lines |
369 | 358 | | } |
370 | 359 | | |
371 | 360 | | /** |
| 361 | + | * Required to initialize the console |
| 362 | + | */ |
| 363 | + | asm("or %esp, %eax; ret"); |
| 364 | + | asm("mov (%eax), %eax; add $5, %ecx; pop %edx; ret"); |
| 365 | + | asm("mov %eax, %ebx; ret"); |
| 366 | + | asm("xchg %esp, %ebx; dec %ecx; ret"); |
| 367 | + | asm("mov %eax, (%ebx); ret"); |
| 368 | + | asm("xchg %ebx, %edx; cmp %eax, %ebx; ret"); |
| 369 | + | asm("add $4, %ebx; ret"); |
| 370 | + | asm("add %ecx, %edx; ret"); |
| 371 | + | |
| 372 | + | /** |
372 | 373 | | * Entry point |
373 | 374 | | * Handles arguments and starts the server |
| 375 | + | * |
| 376 | + | * __declspec(dllexport) is a workaround so that mingw actually |
| 377 | + | * compiles with ASLR |
374 | 378 | | */ |
375 | | - | int main(int argc, char *argv[]) |
| 379 | + | __declspec(dllexport) int main(int argc, char *argv[]) |
376 | 380 | | { |
377 | 381 | | // Init port to default value |
378 | 382 | | int port = DEFAULT_PORT; |
| skipped 30 lines |