#include #include #include #include #include int main(int argc, char **argv) { bool flagA = false; bool flagB = false; size_t file_size, ret, size_to_read; FILE *f; uint8_t *data; char small_local_array[20] = {0}; unsigned int *crash_ptr = NULL; if(argc != 2) { fprintf(stderr, "Usage: %s \n", argv[0]); return -1; } f = fopen(argv[1], "rb"); fseek(f, 0L, SEEK_END); file_size = ftell(f); fseek(f, 0L, SEEK_SET); if(file_size < 100) { fprintf(stderr, "ERROR: Wrong input file\n"); exit(-1); } data = malloc(file_size); ret = fread(data, 1, file_size, f); if(file_size != ret) { fprintf(stderr, "ERROR: fread returned wrong value: %zu\n", ret); exit(-1); } if(data[0] == 0x30) { if(data[1] == 0x40) { if(data[2] == 0xf1) { if(data[3] == 0x20) { printf("Going to crash...\n"); *crash_ptr = 0xdeadbeef; // Null pointer crash } } } } else if(data[0] == 0x31) { flagA = true; } else if(data[0] == 0x32) { flagB = true; } else if(data[0] == 0x33) { if(data[1] == 'F') { if(data[2] == 'U') { if(data[3] == 'Z') { if(data[4] == 'Z') { printf("Going to parse string...\n"); size_to_read = *((size_t *)(data + 5)); //size_to_read = *((size_t *)&(data[5]); printf("Size_to_read: %zu\n", size_to_read); strncpy(small_local_array, (data + 5 + sizeof(size_t)), size_to_read); // Buffer overflow can occure printf(small_local_array); // Format string vulnerability can occure (=> compiler warns) } } } } } if(data[7] == 0xAA) { if(flagA == true) { *crash_ptr = 0xbadf00d; // Null pointer crash } } if(flagB == true) { if(data[7] == 0xBD) { *crash_ptr = 0x13371337; // Null pointer crash } } printf("\nEND\n"); return 0; }