web_server_2 done

98fa7e9f · GovanifY · a76dd557 · 98fa7e9f · 98fa7e9f · 98fa7e9f
Commit 98fa7e9f authored Apr 21, 2020 by GovanifY
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ challenges done:
 * snake_oil 
 * snake_oil_2
 * access_security
+* web_server_2

 TODO:
-* web_server_2
 * modern_rop
--- a/chals/web_server_2/Makefile
+++ b/chals/web_server_2/Makefile
 all:
-	gcc -O0 -m32 main.c -no-pie -fno-stack-protector -o web_server_2
+	gcc -g -O0 -m32 main.c -no-pie -fno-stack-protector -o web_server_2
+	strip web_server_2
--- a/chals/web_server_2/main.c
+++ b/chals/web_server_2/main.c
@@ -19,6 +19,11 @@
 #define MAXLINE 1024   /* max length of a line */
 #define RIO_BUFSIZE 1024

+//--JUNK CODE--
+
+//--JUNK CODE--
+
+
 typedef struct {
    int rio_fd;                 /* descriptor for this buf */
    int rio_cnt;                /* unread byte in this buf */
@@ -59,6 +64,18 @@ mime_map meme_types [] = {

 char *default_mime_type = "text/plain";

+int EndsWith(const char *str, const char *suffix)
+{
+    if (!str || !suffix)
+        return 0;
+    size_t lenstr = strlen(str);
+    size_t lensuffix = strlen(suffix);
+    if (lensuffix >  lenstr)
+        return 0;
+    return strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
+}
+
+
 void rio_readinitb(rio_t *rp, int fd){
    rp->rio_fd = fd;
    rp->rio_cnt = 0;
@@ -177,6 +194,10 @@ void handle_directory_request(int out_fd, int dir_fd, char *filename){
        if(!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")){
            continue;
        }
+//--JUNK CODE--
+
+//--JUNK CODE--
+
        if ((ffd = openat(dir_fd, dp->d_name, O_RDONLY)) == -1){
            perror(dp->d_name);
            continue;
@@ -284,6 +305,9 @@ void parse_request(int fd, http_request *req){
    if(uri[0] == '/'){
        filename = uri + 1;
        int length = strlen(filename);
+//--JUNK CODE--
+
+//--JUNK CODE--
        if (length == 0){
            filename = ".";
        } else {
@@ -305,11 +329,14 @@ void log_access(int status, struct sockaddr_in *c_addr, http_request *req){
 }

 void client_error(int fd, int status, char *msg, char *longmsg){
+    //--JUNK CODE--
+ 
+    //--JUNK CODE--
    char buf[MAXLINE];
    sprintf(buf, "HTTP/1.1 %d %s\r\n", status, msg);
    sprintf(buf + strlen(buf),
            "Content-length: %lu\r\n\r\n", strlen(longmsg));
-    sprintf(buf + strlen(buf), longmsg);
+    sprintf(buf + strlen(buf), "%s", longmsg);
    writen(fd, buf, strlen(buf));
 }

@@ -347,13 +374,33 @@ void process(int fd, struct sockaddr_in *clientaddr){
    printf("accept request, fd is %d, pid is %d\n", fd, getpid());
    http_request req;
    parse_request(fd, &req);
-
+    
    struct stat sbuf;
-    int status = 200, ffd = open(req.filename, O_RDONLY, 0);
+    printf(req.filename);
+    int status = 200;
+    int ffd;
+    if(!EndsWith(req.filename, "flag.txt")) {
+        ffd = open(req.filename, O_RDONLY, 0);
+    }
+    else{
+        ffd=-1;
+    }
+    char flag[80];
+    FILE *file;
+    file = fopen("flag.txt", "r");
    if(ffd <= 0){
        status = 404;
-        char *msg = "File not found: ";
-        //strcat(msg, req.filename);
+//--JUNK CODE--
+
+//--JUNK CODE--
+        char msg[256];
+        sprintf(msg, "File not found: ");
+        fgets(flag, sizeof(flag), file);
+        flag[69]=0x00;
+        sprintf(msg + strlen(msg), req.filename);
+//--JUNK CODE--
+
+//--JUNK CODE--
        client_error(fd, status, "Not found", msg);
    } else {
        fstat(ffd, &sbuf);
@@ -370,7 +417,7 @@ void process(int fd, struct sockaddr_in *clientaddr){
            handle_directory_request(fd, ffd, req.filename);
        } else {
            status = 400;
-            char *msg = "Unknow Error";
+            char *msg = "Unknown Error";
            client_error(fd, status, "Error", msg);
        }
        close(ffd);
@@ -415,28 +462,15 @@ int main(int argc, char** argv){
    // Ignore SIGPIPE signal, so if browser cancels the request, it
    // won't kill the whole process.
    signal(SIGPIPE, SIG_IGN);
-
-    for(int i = 0; i < 10; i++) {
-        int pid = fork();
-        if (pid == 0) {         //  child
-            while(1){
-                connfd = accept(listenfd, (SA *)&clientaddr, &clientlen);
-                process(connfd, &clientaddr);
-                close(connfd);
-            }
-        } else if (pid > 0) {   //  parent
-            printf("child pid is %d\n", pid);
-        } else {
-            perror("fork");
-        }
-    }
-
    while(1){
        connfd = accept(listenfd, (SA *)&clientaddr, &clientlen);
+//--JUNK CODE--
+
+//--JUNK CODE--
        process(connfd, &clientaddr);
        close(connfd);
    }

    return 0;
 }
-
+ 
--- a/chals/web_server_2/setup.py
+++ b/chals/web_server_2/setup.py
+# just print whatever is on the stack and the flag magically appears, format
+# string on file not found exceptions
+import subprocess
+import os
+import sys
+from colorama import Fore, Back, Style
+                    # chals_out/chal_name/team_name so 3
+sys.path.insert(1, os.path.join(sys.path[0], '../../..'))
+from libchals import *
+
+FNULL = open(os.devnull, 'w')
+
+# junk code generation
+# we help a bit the rng since it is a reverse chal
+write_junk_calls("main.c", 467, 6)
+write_junk_calls("main.c", 401, 6)
+write_junk_calls("main.c", 394, 6)
+write_junk_calls("main.c", 333, 6)
+write_junk_calls("main.c", 309, 6)
+write_junk_calls("main.c", 198)
+write_junk_body("main.c", 23)
+
+subprocess.call("make", stdout=FNULL, stderr=FNULL)
+
+
+# TESTING BINARY
+# TODO: Test suite for web_server_2 
+
+os.remove("main.c")
+os.remove("Makefile")
+os.remove("setup.py")