#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
#include <stdbool.h> | |
#include <stdint.h> | |
struct person { | |
int age; | |
char *name; | |
void (*func_ptr)(struct person*); | |
}; | |
struct blob { | |
char data[12]; | |
}; | |
void print_name(struct person *ptr) | |
{ | |
printf("Your Person's name: %s\n",ptr->name); | |
return; | |
} | |
void win() | |
{ | |
puts("You win"); | |
system("/bin/sh"); | |
} | |
int main(int argc, char **argv) | |
{ | |
//Allocate our person | |
struct person *my_person = (struct person*) malloc(sizeof(struct person)); | |
//Fill out struct information | |
my_person->age = 23; | |
my_person->name = malloc(7); | |
strncpy(my_person->name,"Robert\x00",7); | |
my_person->func_ptr = &print_name; | |
//Print heap address of Person | |
printf("Addr of person: 0x%x\n", my_person); | |
printf("Size of object: %d\n", sizeof(struct person)); | |
//Execute the function pointer that will print our person's name | |
my_person->func_ptr(my_person); | |
//Free person but keep ptr to it | |
free(my_person); | |
//Allocate blobs to try and fill freed space now | |
struct blob *my_blob = (struct blob*) malloc(sizeof(struct blob)); | |
printf("Addr of blob: 0x%x\n", my_blob); | |
bool replaced = false; | |
for(int i = 0; i < 20; i++) { | |
if(my_blob->data[i] == 'R' && my_blob->data[i+1] == 'o'){ | |
puts("We replaced the freed object with a blob!"); | |
replaced = true; | |
} | |
printf("%x\n",my_blob->data[i]); | |
} | |
if(!replaced) { | |
puts("We did NOT replace the freed object!"); | |
return -1; | |
} | |
//Use our blob to overwrite the func_ptr to win | |
my_blob->data[8] = &win; | |
//Use the ptr after it has been freed and now call system! | |
my_person->func_ptr(my_person); | |
read(); | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment