Last active
October 27, 2016 01:50
-
-
Save tophyr/353c3b36f7bc8b23c8970e4e606fe1e1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string.h> | |
| #include <dlfcn.h> | |
| #include <netdb.h> | |
| #include <sys/mman.h> | |
| #include <unistd.h> | |
| #include <stdio.h> | |
| static int __attribute__ ((noinline)) foo() { | |
| return 1; | |
| } | |
| int main() { | |
| uintptr_t victim = (uintptr_t)gai_strerror(EAI_NONAME); | |
| int victim_len = strlen((char*)victim); | |
| char* backup = new char[victim_len + 1]; | |
| memcpy(backup, (void*)victim, victim_len + 1); | |
| uintptr_t page_offset = victim % getpagesize(); | |
| int err = mprotect((void*)(victim - page_offset), getpagesize(), PROT_READ | PROT_WRITE); | |
| char* test = (char*)victim; | |
| test[0] = 0; | |
| memcpy(&test[1], (void*)&foo, victim_len); | |
| // as of here, test will not have updated data. the previous two lines will not have actually written anything. | |
| err = mprotect((void*)(victim - page_offset), getpagesize(), PROT_READ | PROT_EXEC); | |
| int foo_ret = ((int (*)())(victim + 1))(); | |
| memcpy((void*)victim, backup, victim_len + 1); | |
| err = mprotect((void*)(victim - page_offset), getpagesize(), PROT_READ | PROT_WRITE); | |
| printf("foo_ret: %d\n", foo_ret); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment