| #include <crypt.h> |
| #include <netdb.h> |
| #include <netinet/in.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/socket.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| /* Do nothing with first message */ |
| void handleData0(char *data, int len) { |
| printf("# vulnserver_cov: Auth success\n"); |
| } |
| |
| /* Second message is stack based buffer overflow */ |
| void handleData1(char *data, int len) { |
| char buff[8]; |
| bzero(buff, 8); |
| memcpy(buff, data, len); |
| printf("# vulnserver_cov: Handledata1: %s\n", buff); |
| } |
| |
| /* Third message is heap overflow */ |
| void handleData2(char *data, int len) { |
| char *buff = malloc(8); |
| if (!buff) { |
| abort(); |
| } |
| bzero(buff, 8); |
| memcpy(buff, data, len); |
| printf("# vulnserver_cov: Handledata2: %s\n", buff); |
| free(buff); |
| } |
| |
| void handleData3(char *data, int len) { |
| printf("# vulnserver_cov: Handledata3: %i\n", len); |
| } |
| |
| void handleData4(char *data, int len) { |
| printf("# vulnserver_cov: Handledata4: %i\n", len); |
| } |
| |
| void handleData5(char *data, int len) { |
| printf("# vulnserver_cov: Handledata5: %i\n", len); |
| } |
| |
| void doprocessing(int sock, int serversock) { |
| char data[1024]; |
| int n = 0; |
| int len = 0; |
| |
| while (1) { |
| bzero(data, sizeof(data)); |
| len = read(sock, data, 1024); |
| |
| if (len == 0 || len <= 1) { |
| return; |
| } |
| |
| printf("# vulnserver_cov: Received data with len: %i on state: %i\n", len, n); |
| switch (data[0]) { |
| case 'A': |
| handleData0(data, len); |
| write(sock, "ok", 2); |
| break; |
| case 'B': |
| handleData1(data, len); |
| write(sock, "ok", 2); |
| break; |
| case 'C': |
| handleData2(data, len); |
| write(sock, "ok", 2); |
| break; |
| case 'D': |
| handleData3(data, len); |
| write(sock, "ok", 2); |
| break; |
| case 'E': |
| handleData4(data, len); |
| write(sock, "ok", 2); |
| break; |
| case 'F': |
| handleData5(data, len); |
| write(sock, "ok", 2); |
| // close the main server socket whoooops |
| close(serversock); |
| break; |
| default: |
| return; |
| } |
| |
| n++; |
| } |
| } |
| |
| int main(int argc, char *argv[]) { |
| int sockfd, newsockfd, portno, clilen; |
| char buffer[256]; |
| struct sockaddr_in serv_addr, cli_addr; |
| int n, pid; |
| |
| if (argc == 2) { |
| portno = atoi(argv[1]); |
| } else { |
| portno = 5001; |
| } |
| |
| sockfd = socket(AF_INET, SOCK_STREAM, 0); |
| if (sockfd < 0) { |
| perror("# vulnserver_cov: ERROR opening socket"); |
| exit(1); |
| } |
| |
| int reuse = 1; |
| if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEPORT, (const char *)&reuse, sizeof(reuse)) < 0) |
| perror("# vulnserver_cov: setsockopt(SO_REUSEPORT) failed"); |
| |
| bzero((char *)&serv_addr, sizeof(serv_addr)); |
| serv_addr.sin_family = AF_INET; |
| serv_addr.sin_addr.s_addr = INADDR_ANY; |
| serv_addr.sin_port = htons(portno); |
| |
| printf("# vulnserver_cov: Listening on port: %i\n", portno); |
| |
| /* Now bind the host address using bind() call.*/ |
| if (bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { |
| perror("# vulnserver_cov: ERROR on binding"); |
| exit(1); |
| } |
| |
| listen(sockfd, 5); |
| clilen = sizeof(cli_addr); |
| |
| while (1) { |
| newsockfd = accept(sockfd, (struct sockaddr *)&cli_addr, &clilen); |
| if (newsockfd < 0) { |
| perror("# vulnserver_cov: ERROR on accept"); |
| exit(1); |
| } |
| printf("# vulnserver_cov: New client connected\n"); |
| doprocessing(newsockfd, sockfd); |
| printf("# vulnserver_cov: Closing...\n"); |
| shutdown(newsockfd, 2); |
| close(newsockfd); |
| } |
| } |