Created
May 19, 2014 15:32
-
-
Save potetisensei/0048a08069a2e1409857 to your computer and use it in GitHub Desktop.
DEFCON 2014 Writeup sftp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void retr(char *arg0) { | |
| char *haystack = arg0; | |
| if (strstr(haystack, "flag")) { | |
| char var_370[] = "-Nice try," | |
| write_my(var_370); | |
| return ; | |
| } | |
| char *var_10 = ___xpg_basename(haystack); | |
| snprintf(var_170, 0x100, "%s%s", "/home/sftp/incoming/", var_10); | |
| if (var_10[0] == '.') { | |
| write_my("-Couldn't save because directory traversal."); | |
| return ; | |
| } | |
| struct stat var_70; | |
| var_18 = sub_8049D00(haystack, &var_70); // store result of ___xstat to var_70 | |
| if (var_18) { | |
| char var_370[] = "-File doesn't exist"; | |
| write_my(var_370); | |
| return ; | |
| } | |
| sprintf(var_270, "%d", var_70.st_size); | |
| write_my(var_270); // write file size | |
| sub_8048904(var_270, 0x100, '\n'); // read string until meet splitter character '\n' | |
| if (strncmp(var_270, "SEND", 4) == 0) { | |
| char buf[(var_70.st_size+30)/16*16]; // variable length array | |
| FILE *stream = fopen(haystack, "r"); | |
| char tmp; | |
| unsigned int i = 0; /* var_37C */ | |
| while (fread(&tmp, 1, 1, stream)) { | |
| buf[i] = tmp; | |
| ++i; | |
| } | |
| write(FILENO_STDOUT, buf, i); | |
| } else { | |
| char var_270[0x200]; | |
| if (strncmp(var_270, "STOP", 4) == 0) { | |
| strcpy(var_270, "+ok, RETR aborted"); | |
| } | |
| write_my(var_270); | |
| } | |
| return ; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment