answers.txt

## Place your answers here.
exploit-2a.py
trigger bug on http.c:65 with the function process_client(int fd),
the return address of function process_client can be overwritten by buffer overflow of variable repath[2048]

exploit-2b.py
overwrite function pointer *handler by pypass a huge value to http.c:276:pn[1024]
$./clean-env.sh ./zookld zook-exstack.conf&
$gdb -p $(pgrep zookfs-exstack)
$break point
$./exploit-2b.py localhost 8080
we can find that the function pointer has been altered.

Part 2:
exploit-3.py
The buffer overflow can be used in this part,
we firt push the executable code of Unlink into stack 
and modify the return address of function process_client() 
to point to the executable code in the stack.

Part 3: 
exploit-4a.py
The return address of process_client can be overwritten and altered to 
point to the system function unlink.
exploit-4b.py
The value of function pointer of *handler can be overwritten.

Part 4:
Exercise 5:
I find it hard to find more bugs, excluding the bugs found in bugs.txt.
I just use 2 bugs previously found.

1) the "reqpath" can be overflowed to hijiack the control flow.
   the limitation is obvious: it depends on the convetion of the c calling and the stupid "ret" instruction.
   the attacker can use overflow the "reqpath" to hijack the control of flow, which is dangerous.
   Various ways can be used to prevent it, including ASLR and stack canary.
   I could simply use the boundry check to fix the bug. 

2) the "value" also can be overflowed to hijijack the control flow.
   Same limitiantion, prevention.

Exercise 6:
Some type modifications are showed below.

1) sprinf --> snprinf
2) int buf[1024] --> static int buf[1024]
3) strcat --> strncat