Introduction: We exploited webserver.c's vulnerability to break into the c

1.  
2. Introduction:
3.  
4. We exploited webserver.c's vulnerability to break into the call-stack. The code was structured into 3 main parts, the initialization of variables, the setup of the server, and the listener that checked continuously for netcat HTTP requests. If an NC HTTP request connects successfully and issues a request, the "handler" helper function parses that request takes the necessary action.
5.  
6. The first two parts of the code set up an environment using library functions and the third part sets up a server request listener. Prebuilt functions were used to create the server - hence, we deduced the bug must be somewhere in the request listener. We narrowed down our search further by only considering parts of the listener that manipulated variables stored in the stack. The handler stored the filename array, character pointers, and integers into the stack.
7.  
8. The Error:
9.  
10. We first looked at the filename[100] array that was stored into the stack. The memset and strncpy function modified this filaname[100]. The memset function fills in all 100 bytes of the filename with "\0" value and the strncpy function then copies an input string from the nc server query into the filename. Since the query could send a filename of arbitrary length, the stncpy function only runs after checking the filename provided had a valid length of less than 100. The length of the filename is computed and caste to an integer "length". Although the computed filename length was an integer, the check_file_length(byte) function only accepted bytes.
11.  
12. The C language. handles this request of casting this integer into a byte by only storing the bottom 8 bits of the 32-bit integer. This mods the filename length by the max number represented by a byte which is 256 and then uses that modded value to identify whether the string length is < 100 bytes. Therefore, a large filename length x can be carefully chosen s.t. x % 256 < 100. Then, the check_file_name function will output true and then perform the strncpy of the large filename into the small 100 bytes space allocated into the stack for filename[100]. This vulnerability in C is the bug we used to "smash the stack".