error when comparing C-torque

Asked

Viewed 83 times

1

I have a Perl program that connects to a socket, receives binaries in this socket, reads the incoming binaries, compares them with other binaries in a buffer so I know if there are these binaries in the received buffer in the socket. Look at:

perlProgram.pl

# some code here ...

my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 666, Proto => 'tcp');   

$sock->sockopt(SO_LINGER, pack("ii", 1, 0));


# some code here for another porposes...
# ...


read($sock, $buff, 0xfffff);

close($sock);

if (($v = index $buff, "\xC7\x44\x24\x08\x03\x00\x00\x00\xC7\x04\x24\x00\x00\x00\x00\x89\x44\x24\x04") >= 0) {
    $offset = $v;

    printf "your offset is %08x\n", $offset;
} else {
    if (($v = index $buff, "\x89\x44\x24\x10\xA1\xBC\xA5\x0F\x08\x89\x44\x24\x04\xe8") >= 0) {
        $offset = $v;

    printf "your offset is %08x\n", $offset;
    } else {
        print "Could not find your binaries\n";
        exit;
    }
}


# more code here ...

This Perl program runs perfectly, and I’m sure the binaries are coming in the socket, and the binaries I want are in the buffer. So I wrote the same program in C, and here’s the problem: in C I can’t verify if the binaries in the socket buffer even exist, because I’m sure they’re coming but I can’t verify programmatically. Look at:

sameProgramInC. c:

// some code here ...

char binaries_1[]="\xc7\x44\x24\x08\x03\x00\x00\x00\xc7\x04\x24\x00\x00\x00\x00\x89\x44\x24\x04";
char binaries_2[]="\x89\x44\x24\x10\xa1\xbc\xa5\x0f\x08\x89\x44\x24\x04\xe8";

int indexOf(const unsigned char *data_buffer, const unsigned int length, const unsigned char *needle, const unsigned int needlelen) {
   unsigned int i, j, index=0;
   for(i=0; i < length-needlelen; i++) {
      if(data_buffer[i] == needle[0]){
         index=i;
         for(j=1; j < needlelen; j++){
            if(data_buffer[i+j] != needle[j]){
               index=0;
               break;
            }
         }
         if(index == i){
            return index;
         }
      }
   }
   return index;
}

int main(int argc, char *argv[]) {
   int sockfd, buflen;
   struct hostent *host_info;
   struct sockaddr_in target_addr;
   unsigned char read_buffer[0xfffff];

   if((host_info = gethostbyname(argv[1])) == NULL)
      fatal("looking up hostname");

   if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
      fatal("in socket");

   target_addr.sin_family = AF_INET;
   target_addr.sin_port = htons(PORT);   
   target_addr.sin_addr = *((struct in_addr *)host_info->h_addr);
   memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct

   if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1)
      fatal("connecting to target server");

   // some code here for another porposes...
   // ...

   printf("\n\t Attempting to read memory of the server...");
   bzero(read_buffer, sizeof(read_buffer));
   read(sockfd, read_buffer, 0xfffff);

   index = indexOf(read_buffer, sizeof(read_buffer), binaries_1, sizeof(binaries_1));    
   if(index != 0){
      printf("\n\t [+] your offset is 0x%08x", index);
   } else {
      index = indexOf(read_buffer, sizeof(read_buffer), binaries_2, sizeof(binaries_2));      
      if(index != 0){
         printf("\n\t [+] your offset is 0x%08x", index);
      } else {
         printf("\n\t [-] Fail! Could not find your offset!");
      }
   }

   // more code here

So this C code doesn’t run like my Perl code. There are no execute errors, only my C code cannot check that the binaries are in the buffer as the Perl code can. I tried to use memmem(), memcmp() and strstr(), but they don’t work either. Why does it happen? What’s wrong? There’s something wrong with my indexOf()?

I asked the same question in international stackoverflow, if you want to answer there, feel free: errors in Binary comparation in C

  • Take the answer you got there in the OS and post here to leave with a valid answer.

1 answer

1


When specified sizeof(binaries_1) as substring length of binaries to be searched in the buffer, includes the zero on the right (string terminator). So just switch to sizeof(binaries_1)-1 that the problem is solved. A classic off-by-one error.

Credits: Anton Savin of stackoverflow.com

Browser other questions tagged

You are not signed in. Login or sign up in order to post.