zach's vuln-1 with minor edits

d5c411a2 · Zachary Ho · 543b0357 · d5c411a2 · d5c411a2 · d5c411a2
Commit d5c411a2 authored Oct 1, 2019 by Zachary Ho
--- a/.DS_Store
+++ b/.DS_Store
--- a/bin/.DS_Store
+++ b/bin/.DS_Store
--- a/bin/vuln-1/passbook
+++ b/bin/vuln-1/passbook
--- a/bin/vuln-1/passbook-cov
+++ b/bin/vuln-1/passbook-cov
--- a/bin/vuln-1/passbook-cov.dSYM/Contents/Resources/DWARF/passbook-cov
+++ b/bin/vuln-1/passbook-cov.dSYM/Contents/Resources/DWARF/passbook-cov
--- a/bin/vuln-1/passbook-fuzz
+++ b/bin/vuln-1/passbook-fuzz
--- a/bin/vuln-1/passbook-fuzz.dSYM/Contents/Resources/DWARF/passbook-fuzz
+++ b/bin/vuln-1/passbook-fuzz.dSYM/Contents/Resources/DWARF/passbook-fuzz
--- a/bin/vuln-1/passbook-san
+++ b/bin/vuln-1/passbook-san
--- a/bin/vuln-1/passbook-san.dSYM/Contents/Resources/DWARF/passbook-san
+++ b/bin/vuln-1/passbook-san.dSYM/Contents/Resources/DWARF/passbook-san
--- a/bin/vuln-1/passbook.dSYM/Contents/Resources/DWARF/passbook
+++ b/bin/vuln-1/passbook.dSYM/Contents/Resources/DWARF/passbook
--- a/bin/vuln-1/passwords.txt
+++ b/bin/vuln-1/passwords.txt
 masterpw master_pw
-put www.gogo.com gogo gogo1
+put www.abc.com abc abc1
-put www.gege.com gege gege1
--- a/poc/vuln-1.poc
+++ b/poc/vuln-1.poc
 put www.gege.com gege gege1
 put www.gogo.com gogo gogo1
-put %s %s %s
+put %s%x%x%x%x %x%x%x %x
 list
 save master_pw passwords.txt
\ No newline at end of file
--- a/src/vuln-1/passbook.c
+++ b/src/vuln-1/passbook.c
@@ -67,12 +67,29 @@ static const node_t *lookup(const node_t *p, const char *url)
 static void node_print(const node_t *p)
 {
+  // Vuln-1 here!
  printf("Url: ");
  printf(p->url);
+  // printf("\n");
+  // printf("size of url is %d\n", sizeof(p->url));
+  // printf("Address of url in x is %x\n", &(p->url));
+  // printf("Address of url in p is %p\n", &(p->url));
  printf(", Username: ");
  printf(p->cred.username);
+  // printf("\n");
+  // printf("size of username is %d\n", sizeof(p->cred.username));
+  // printf("Address of username in x is %x\n", &(p->cred.username));
+  // printf("Address of username in p is %p\n", &(p->cred.username));
  printf(", Password: ");
  printf(p->cred.password);
+  // printf("\n");
+  // printf("size of password is %d\n", sizeof(p->cred.password));
+  // printf("Address of password in x is %x\n", &(p->cred.password));
+  // printf("Address of password in p is %p\n", &(p->cred.password));
  printf("\n");
  // printf("URL: %s, Username: %s, Password: %s\n", p->url, p->cred.username, p->cred.password);
@@ -81,11 +98,11 @@ static void node_print(const node_t *p)
 /* construct a new node */
 static node_t *node_new(const char *url, const cred_t cred)
 {
-  // Vuln-1.1 here!
+  // Vuln-extra1 here!
  // Change sizeof(node_t) to sizeof(node_t*)
-  node_t *new = malloc(50);
+  // node_t *new = malloc(50);
-  // node_t *new = malloc(sizeof(node_t));
+  node_t *new = malloc(sizeof(node_t));
+  printf("size of new is %d\n", sizeof(*new));
  // printf("the size of node_t is %lu\n the size of char * is %lu\n the size of cred_t is %lu\n the size of struct node * is %lu\n", sizeof(node_t), sizeof(char *), sizeof(cred_t), sizeof(struct node *));
  // Vuln-1.3 here!
@@ -111,7 +128,7 @@ static void node_edit_cred(node_t *p, node_t *q)
 {
  free(p->cred.username);
  free(p->cred.password);
-  // Vuln-1.2 here!
+  // Vuln-extra2 here!
  // used strcpy instead of assigning pointers
  // p->cred.username = strncpy(p->cred.username, q->cred.username, INT32_MAX);
  // p->cred.password = strncpy(p->cred.password, q->cred.password, INT32_MAX);
@@ -220,6 +237,9 @@ static node_t *rem(node_t *p, const char *url)
      node_t *left = p->left;
      node_t *const right = p->right;
      left = node_insert(left, right);
+      // Vuln-extra3 here!
+      // Don't think this counts since memory leaks are not valid vulnerabilities in this assignment?
      node_free(p);
      if (pptr != NULL)
      {
@@ -410,6 +430,29 @@ void print_inorder(const node_t *p)
      // print the node following the return
      node_print(q);
+      // Vuln-1 here!
+      // printf("Url: ");
+      // printf(q->url);
+      // printf("\n");
+      // printf("size of url is %d\n", sizeof(q->url));
+      // printf("Address of url in x is %x\n", &(q->url));
+      // printf("Address of url in p is %p\n", &(q->url));
+      // printf(", Username: ");
+      // printf(q->cred.username);
+      // printf("\n");
+      // printf("size of username is %d\n", sizeof(q->cred.username));
+      // printf("Address of username in x is %x\n", &(q->cred.username));
+      // printf("Address of username in p is %p\n", &(q->cred.username));
+      // printf(", Password: ");
+      // printf(q->cred.password);
+      // printf("\n");
+      // printf("size of password is %d\n", sizeof(q->cred.password));
+      // printf("Address of password in x is %x\n", &(q->cred.password));
+      // printf("Address of password in p is %p\n", &(q->cred.password));
+      printf("\n");
      // simulate right recursive call
      if (q->right != NULL)
@@ -529,6 +572,10 @@ static int execute(void)
    }
    debug_printf("Removing: %s\n", toks[1]);
    map = rem(map, toks[1]);
+    // Another Vuln here!
+    printf("Removed: ");
+    printf(toks[1]);
  }
  else if (strcmp(toks[0], INSTRUCTION_PUT) == 0)
  {