9
deadPix3l
168d

Bot which exploits textbook code. Make the world safer, one junior Dev at a time.

Project Type
Project idea
Summary

Bot which exploits textbook code. Make the world safer, one junior Dev at a time.

Description
Just about every C book ever has the same example: after the hello world there the "what's your name? Dave. Hello Dave!" Example. And it's always the simplest version: contains a system("pause") at the end because windows users have never used a console (path hijacking vulnerability) and this: char[100] name; scanf(&name); printf(name); And there are so many things wrong with that! Wouldn't it be great for this code to stop existing in the brains of junior developers? This project would seek out these texts, stack overflow answers, or newly budding GitHub devs, write a feasible exploit for these (litterally) textbook vulnerabilities as well as a sanitized, safe version. Format string vulnerabilities and stack smashing happens because it's litterally the first thing we teach new programmers. This has to stop.
Tech Stack
C, flex+bison, sed/awk, anything really
Current Team Size
1
Comments
  • 0
    I think it's ok the way it is, because it's teaching the basics to beginner developers, so even if it isn't safe or perfect as long as it teaches them variables and scanf it's fine by me. Making a "better" version would probably result in more complicated code that beginners wouldn't understand and just copy-paste
  • 1
    @Lapse I guess to a degree but why teach scanf in the first place? It's litterally unsafe to use all of the time. And how much harder is printf("%s", name) ? They won't ever write format string vulnerabilities if they are never exposed to it. Honestly if an entire generation of programmers thinks that you MUST pass a hardcoded format string, I really don't think it will become much of an issue.
  • 0
    @deadPix3l how the hell would that print(array) compile? I am referring to you distinguishing between that and printf("%s", array)..
  • 0
    @AVGVSTVS are you simply referring to my inability to add the 'f' in printf()? I fixed it.

    Or is there another compilation issue I'm overlooking? Looks good to me.
  • 0
    @deadPix3l I was confused by pseudo-code like argument of print (omitting format specifier thing) together with the typo
  • 0
    @AVGVSTVS honestly it's been far too long since I've written real C code so it may be a bit inacurrate.

    If you are confused why I left out the "%s" (which is what I interpreted from your response), this is a real thing junior devs are taught, it does compile properly, it interprets the user input as a format string, and is the source of an entire class of very dangerous bugs. My point is we should stop teaching it.

    Which makes me want to do more C now. I should. But my life recently has been a lot of python and x86.
  • 3
    ++ for cool idea. I have no idea how to help
Your Job Suck?
Get a Better Job
Add Comment