1
I have a Perl program that connects to a socket, receives binaries in this socket, reads the incoming binaries, compares them with other binaries in a buffer so I know if there are these binaries in the received buffer in the socket. Look at:
perlProgram.pl
# some code here ...
my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 666, Proto => 'tcp');
$sock->sockopt(SO_LINGER, pack("ii", 1, 0));
# some code here for another porposes...
# ...
read($sock, $buff, 0xfffff);
close($sock);
if (($v = index $buff, "\xC7\x44\x24\x08\x03\x00\x00\x00\xC7\x04\x24\x00\x00\x00\x00\x89\x44\x24\x04") >= 0) {
$offset = $v;
printf "your offset is %08x\n", $offset;
} else {
if (($v = index $buff, "\x89\x44\x24\x10\xA1\xBC\xA5\x0F\x08\x89\x44\x24\x04\xe8") >= 0) {
$offset = $v;
printf "your offset is %08x\n", $offset;
} else {
print "Could not find your binaries\n";
exit;
}
}
# more code here ...
This Perl program runs perfectly, and I’m sure the binaries are coming in the socket, and the binaries I want are in the buffer. So I wrote the same program in C, and here’s the problem: in C I can’t verify if the binaries in the socket buffer even exist, because I’m sure they’re coming but I can’t verify programmatically. Look at:
sameProgramInC. c:
// some code here ...
char binaries_1[]="\xc7\x44\x24\x08\x03\x00\x00\x00\xc7\x04\x24\x00\x00\x00\x00\x89\x44\x24\x04";
char binaries_2[]="\x89\x44\x24\x10\xa1\xbc\xa5\x0f\x08\x89\x44\x24\x04\xe8";
int indexOf(const unsigned char *data_buffer, const unsigned int length, const unsigned char *needle, const unsigned int needlelen) {
unsigned int i, j, index=0;
for(i=0; i < length-needlelen; i++) {
if(data_buffer[i] == needle[0]){
index=i;
for(j=1; j < needlelen; j++){
if(data_buffer[i+j] != needle[j]){
index=0;
break;
}
}
if(index == i){
return index;
}
}
}
return index;
}
int main(int argc, char *argv[]) {
int sockfd, buflen;
struct hostent *host_info;
struct sockaddr_in target_addr;
unsigned char read_buffer[0xfffff];
if((host_info = gethostbyname(argv[1])) == NULL)
fatal("looking up hostname");
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
fatal("in socket");
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(PORT);
target_addr.sin_addr = *((struct in_addr *)host_info->h_addr);
memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1)
fatal("connecting to target server");
// some code here for another porposes...
// ...
printf("\n\t Attempting to read memory of the server...");
bzero(read_buffer, sizeof(read_buffer));
read(sockfd, read_buffer, 0xfffff);
index = indexOf(read_buffer, sizeof(read_buffer), binaries_1, sizeof(binaries_1));
if(index != 0){
printf("\n\t [+] your offset is 0x%08x", index);
} else {
index = indexOf(read_buffer, sizeof(read_buffer), binaries_2, sizeof(binaries_2));
if(index != 0){
printf("\n\t [+] your offset is 0x%08x", index);
} else {
printf("\n\t [-] Fail! Could not find your offset!");
}
}
// more code here
So this C code doesn’t run like my Perl code. There are no execute errors, only my C code cannot check that the binaries are in the buffer as the Perl code can. I tried to use memmem(), memcmp() and strstr(), but they don’t work either. Why does it happen? What’s wrong? There’s something wrong with my indexOf()?
I asked the same question in international stackoverflow, if you want to answer there, feel free: errors in Binary comparation in C
Take the answer you got there in the OS and post here to leave with a valid answer.
– Maniero