Created
May 19, 2014 12:40
-
-
Save potetisensei/1fadf6c6f91adc976da3 to your computer and use it in GitHub Desktop.
Written by @nk0t
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <signal.h> | |
| #include <string.h> | |
| int lastrand; | |
| void (*exit_func)(); | |
| void do_exit(int arg_0) | |
| { | |
| int exit_num = arg_0 & 0xff; | |
| puts("Did you forget to read the flag with your shellcode?"); | |
| puts("Exiting"); | |
| exit(exit_num); | |
| } | |
| void sig_alarm_handler(int sig) | |
| { | |
| puts("Connection idle, closing."); | |
| exit(1); | |
| } | |
| int mysrand(int seed) | |
| { | |
| lastrand = seed - 1; | |
| return lastrand; | |
| } | |
| int myrand(void) | |
| { | |
| int r; | |
| r = lastrand*8-lastrand; | |
| r = r*8+lastrand; | |
| r = r*2; | |
| r = lastrand+r; | |
| r = r<<4; | |
| r = r-lastrand; | |
| r = r*2; | |
| r = r-lastrand; | |
| r = r+0xe60; | |
| r = r&0x7fffffff; | |
| lastrand = r-1; | |
| return r; | |
| } | |
| int randrange(int min, int max) | |
| { | |
| int difference = max - min; | |
| return (myrand() % (difference+1)) + min; | |
| } | |
| int get_my_line(char *buff, int sz) | |
| { | |
| char ch_0; | |
| int counter = 0; | |
| int readbytes = -1; | |
| while(counter != sz) | |
| { | |
| if(ch_0 == -1) | |
| { | |
| break; | |
| } | |
| ch_0 = getc(stdin); | |
| if(ch_0 != -1) | |
| { | |
| buff[counter] = ch_0 & 0xff; | |
| } | |
| if(buff[counter]==0xa) | |
| { | |
| counter += 1; | |
| break; | |
| } | |
| counter += 1; | |
| } | |
| return counter; | |
| } | |
| int main() | |
| { | |
| setvbuf(stdout, 0, 2, 0); | |
| signal(SIGALRM, sig_alarm_handler); | |
| alarm(0x5a); | |
| mysrand(0x1234); | |
| puts("Welcome to your first heap overflow..."); | |
| puts("I am going to allocate 20 objects..."); | |
| puts("Using Dougle Lee Allocator 2.6.1...\nGoodluck!\n"); | |
| exit_func = do_exit; | |
| printf("Exit function pointer is at %X address.\n", (unsigned int)exit_func); | |
| int i; // 0x133c | |
| int *loc_table[0x14]; | |
| int size_table[0x14]; | |
| for(i=0; i<=0x13; i++) | |
| { | |
| int alloc_size;// 0x1338 | |
| alloc_size = randrange(0x200, 0x500); | |
| if(i == 0x0a) | |
| { | |
| alloc_size = 0x104; | |
| } | |
| loc_table[i] = malloc(alloc_size); | |
| size_table[i] = alloc_size; | |
| printf("[ALLOC][loc=%X][size=%d]\n", (unsigned int)loc_table[i], alloc_size); | |
| } | |
| printf("Write to object [size=%d]:\n", size_table[0xa]); | |
| char buff[0x330]; | |
| int count = get_my_line(buff, 0x1000); | |
| memcpy(loc_table[0xa], buff, count); | |
| printf("Copied %d bytes.\n", count); | |
| for(i=0; i<=0x13; i++) | |
| { | |
| printf("[FREE][address=%X]\n", (unsigned int)loc_table[i]); | |
| free(loc_table[i]); | |
| } | |
| exit_func(1); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment