| #include <stdio.h> | |
| #include <string.h> | |
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <stdint.h> | |
| struct person { | |
| int age; | |
| char *name; | |
| void (*func_ptr)(struct person*); | |
| }; | |
| struct blob { | |
| char data[12]; | |
| }; | |
| void print_name(struct person *ptr) | |
| { | |
| printf("Your Person's name: %s\n",ptr->name); | |
| return; | |
| } | |
| void win() | |
| { | |
| puts("You win"); | |
| system("/bin/sh"); | |
| } | |
| int main(int argc, char **argv) | |
| { | |
| //Allocate our person | |
| struct person *my_person = (struct person*) malloc(sizeof(struct person)); | |
| //Fill out struct information | |
| my_person->age = 23; | |
| my_person->name = malloc(7); | |
| strncpy(my_person->name,"Robert\x00",7); | |
| my_person->func_ptr = &print_name; | |
| //Print heap address of Person | |
| printf("Addr of person: 0x%x\n", my_person); | |
| printf("Size of object: %d\n", sizeof(struct person)); | |
| //Execute the function pointer that will print our person's name | |
| my_person->func_ptr(my_person); | |
| //Free person but keep ptr to it | |
| free(my_person); | |
| //Allocate blobs to try and fill freed space now | |
| struct blob *my_blob = (struct blob*) malloc(sizeof(struct blob)); | |
| printf("Addr of blob: 0x%x\n", my_blob); | |
| bool replaced = false; | |
| for(int i = 0; i < 20; i++) { | |
| if(my_blob->data[i] == 'R' && my_blob->data[i+1] == 'o'){ | |
| puts("We replaced the freed object with a blob!"); | |
| replaced = true; | |
| } | |
| printf("%x\n",my_blob->data[i]); | |
| } | |
| if(!replaced) { | |
| puts("We did NOT replace the freed object!"); | |
| return -1; | |
| } | |
| //Use our blob to overwrite the func_ptr to win | |
| my_blob->data[8] = &win; | |
| //Use the ptr after it has been freed and now call system! | |
| my_person->func_ptr(my_person); | |
| read(); | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment