First Assignment

Gets Worm

This is the kind of innocent program you should be trying to subvert:

#include <stdio.h>

void gets(char *s)
{ for (int i=0; 1; i+=1)
  { int c=getchar();
    if (c=='\n' || c==EOF) 
    { s[i]=0;
      break; }
    s[i]=c; } }

int answer_question(void)
{ char line[28];
  gets(line);
  int val1=0, val2=0, operator, ptr=0;
  while (line[ptr]>='0' && line[ptr]<='9')
  { val1=val1*10+line[ptr]-'0';
    ptr+=1; }
  operator=line[ptr];
  ptr+=1;
  while (line[ptr]>='0' && line[ptr]<='9')
  { val2=val2*10+line[ptr]-'0';
    ptr+=1; }
  switch (operator)
  { case '+': return val1+val2;
    case '-': return val1-val2;
    case '*': return val1*val2;
    case '/': return val1/val2; }
  return -1; }

void main(void)
{ printf("Enter a formula: ");
  int ans=answer_question();
  printf("The answer is %d\n", ans); }

You may use exactly that program if you like, or you may modify it in any way you like, or you may provide one of your own. The program must use a gets-like function to read input, and you must provide input that makes the program behave in a way that is obviously not intended by the writer. As you can see, the program above should only be capable of producing output something like The answer is 123, so your specially designed input should make it do something completely different, not just produce a wrong result. Maybe you can make it say a bad word, or maybe something more spectacular.

Remember, you are taking advantage of buffer over-runs. You might want to make the string "char line[28]" a bit bigger to suit your purposes. Of course your worm will be tailor made for the innocent program you are subverting. Don't expect one worm to work for other programs.

You don't want to have to type the hexadecimal codes for your worm input every time you try running it. A program like this:

#include <stdio.h>

unsigned char code[] = { 0x53, 0x75, 0x72, 0x70, 0x72, 0x69, 0x73, 0x65, 0x21, '\n' };
    // hex. ascii codes:  S     u     r     p     r     i     s     e     !
const int codesize=sizeof(code);

void main(void)
{ FILE *f=fopen("worm.txt", "w");
  for (int i=0; i<codesize; i+=1)
    fputc(code[i], f);
  fclose(f); }

Can be used to create a file containing the characters you want to send to the innocent gets-using program, and you can redirect the input to come from that file when the program runs, using the emulator command "infile 0 worm.txt".

To work out the hexadecimal codes for your worm program, you will need to pay some attention to the processor instruction set, and maybe use the assembler to produce the codes for you (asm -l filename produces hexadecimal codes interleaved with source assembly instructions), and maybe even trace or single step a running program in the emulator.