Mathy Vanhoef vanhoefm
vanhoefm
/ gist:5281095
Last active
December 15, 2015 15:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int __cdecl handle_plant_creation(int a1) | |
| { | |
| [..] | |
| plant_info = (char *)(a1 + 112 * plantid); | |
| [..] | |
| ask_for_string((int)"Insert name: ", &entered_plant_name, 0x70u); | |
| *((_WORD *)plant_info + 55) = v9; | |
| *((_WORD *)plant_info + 50) = gen_random_num(150, 500); | |
| *((_WORD *)plant_info + 51) = gen_random_num(15, 100); | |
| *((_WORD *)plant_info + 52) = gen_random_num(250, 800); |
vanhoefm
/ gist:5072579
Last active
December 14, 2015 10:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cd ~ | |
| wget http://www.kernel.org/pub/linux/kernel/projects/backports/stable/v3.9-rc4/compat-drivers-3.9-rc4-2-su.tar.bz2 | |
| tar -xvf compat-drivers-3.9-rc4-2-su.tar.bz2 | |
| cd compat-drivers-3.9-rc4-2-su | |
| wget -Ocompatdrivers_chan_qos_frag.patch http://pastie.org/pastes/7977109/download | |
| patch -p1 < compatdrivers_chan_qos_frag.patch | |
| make | |
| make install |
vanhoefm
/ malloc\malloc.c
Last active
December 12, 2015 06:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| static void* _int_malloc(mstate av, size_t bytes) | |
| { | |
| INTERNAL_SIZE_T nb; /* normalized request size */ | |
| mchunkptr victim; /* inspected/selected chunk */ | |
| INTERNAL_SIZE_T size; /* its size */ | |
| mchunkptr remainder; /* remainder from a split */ | |
| unsigned long remainder_size; /* its size */ | |
| checked_request2size(bytes, nb); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include <stdlib.h> | |
| int main(int argc, char *argv[]) | |
| { | |
| char *buf1, *buf2, *buf3; | |
| if (argc != 4) return; | |
| buf1 = malloc(256); |
vanhoefm
/ malloc\malloc.c
Last active
December 12, 2015 02:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Take a chunk off a bin list */ | |
| void unlink(malloc_chunk *P, malloc_chunk *BK, malloc_chunk *FD) | |
| { | |
| FD = P->fd; | |
| BK = P->bk; | |
| if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) | |
| malloc_printerr(check_action,"corrupted double-linked list",P); | |
| else { | |
| FD->bk = BK; | |
| BK->fd = FD; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*notvuln.c*/ | |
| int main(int argc, char **argv[]) { | |
| char *buf; | |
| buf = (char*)malloc(1024); | |
| printf("buf=%p", buf); | |
| strcpy(buf, argv[1]); | |
| free(buf); | |
| } |
vanhoefm
/ malloc\malloc.c
Last active
December 11, 2015 08:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Take a chunk off a bin list */ | |
| void unlink(malloc_chunk *P, malloc_chunk *BK, malloc_chunk *FD) | |
| { | |
| FD = P->fd; | |
| BK = P->bk; | |
| FD->bk = BK; | |
| BK->fd = FD; | |
| } |
vanhoefm
/ heaplayout1.c
Created
January 19, 2013 23:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string.h> | |
| #include <stdlib.h> | |
| #include <stdio.h> | |
| int main(int argc, char *argv[]) | |
| { | |
| char *buf1 = malloc(256); | |
| char *buf2 = malloc(512); | |
| char *buf3 = malloc(1024); | |
| char *top, *aftertop; |
vanhoefm
/ heapsploit1.c
Last active
December 11, 2015 00:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string.h> | |
| #include <stdlib.h> | |
| #include <stdio.h> | |
| int main(int argc, char *argv[]) | |
| { | |
| char *buf1 = malloc(128); | |
| char *buf2 = malloc(256); | |
| read(fileno(stdin), buf1, 200); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| struct malloc_chunk { | |
| INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */ | |
| INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */ | |
| struct malloc_chunk* fd; /* double links -- used only if free. */ | |
| struct malloc_chunk* bk; | |
| /* Only used for large blocks: pointer to next larger size. */ | |
| struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */ | |
| struct malloc_chunk* bk_nextsize; |