Add files via upload

author: Zi Zhou <zzhou007@ucr.edu> 2017-01-14 16:41:16 -0800
committer: GitHub <noreply@github.com> 2017-01-14 16:41:16 -0800
commit: 6819d790ba65c26d95d7d9e4a053f946a4489765 (patch)
tree: eaaf3c4fb0a016ef4ef3172f6a6440f5867a144a
parent: b123072d22716da5f745335faf823c23d2516994 (diff)
download: towelroot-6819d790ba65c26d95d7d9e4a053f946a4489765.tar.gz
towelroot-6819d790ba65c26d95d7d9e4a053f946a4489765.tar.bz2
towelroot-6819d790ba65c26d95d7d9e4a053f946a4489765.zip
3 files changed, 204 insertions, 0 deletions
diff --git a/lab1-2/2016-09-30-140359_751x518_scrot.png b/lab1-2/2016-09-30-140359_751x518_scrot.png
new file mode 100644
index 0000000..4a93d40
--- /dev/null
+++ b/lab1-2/2016-09-30-140359_751x518_scrot.png
diff --git a/lab1-2/UAF.c b/lab1-2/UAF.c
new file mode 100644
index 0000000..92775cf
--- /dev/null
+++ b/lab1-2/UAF.c
@@ -0,0 +1,99 @@
+#include <sys/mman.h>
+#include <unistd.h>
+ #include <sys/types.h>
+
+//void add_to_tail(void* preferred_addr, int data, void* next, )
+
+typedef struct
+{
+    int data;
+    void (*fp)(int);
+}obj1;
+
+typedef struct 
+{
+    void (*fp)(int);
+    int data;
+}obj2;
+
+//typedef struct obj2 my_obj;
+obj1* obj_ptr1;
+obj2* obj_ptr2;
+obj2* last_obj_ptr;
+
+void print_data(int data)
+{
+    printf("cur_data: %d\n", data);
+}
+
+void back_door(int data)
+{   
+    char* arg[]={"/system/bin/sh",NULL};
+    execv("/system/bin/sh",arg);
+}
+
+obj2* alloc_a(int data) {
+    obj_ptr2 = malloc(sizeof(obj2));
+    obj_ptr2->data = data;
+    obj_ptr2->fp = &print_data;
+    return obj_ptr2;
+}
+
+obj2* alloc_b(int data) {
+    obj_ptr1 = malloc(sizeof(obj1));
+    obj_ptr1->data = data;
+    obj_ptr1->fp = &print_data;
+    return obj_ptr1;
+}
+
+void call_func_ptr(obj2* local_obj_ptr)
+{
+    printf("data: %d %p\n",local_obj_ptr->data, local_obj_ptr->fp);
+    (*(local_obj_ptr->fp))(local_obj_ptr->data);
+}
+
+int main(int argc, char** args){
+    int opt;
+    int data;
+    obj2* local_obj_ptr_a;
+    obj2* local_obj_ptr_b;
+    printf("Option menu:\n[1] create a node_a;\n[2] create a node_b;\n[3] free a node_a;\n[4] free a node_b;\n[5] print node_a data;\n[6] print node_b data;\n[7] exit;\n");
+    printf("back_door addr: %p\n", &back_door);
+    while(1){
+        printf("Input option: ");
+        scanf("%d", &opt);
+        switch(opt){
+        case 1:
+            printf("Input data: ");
+            scanf("%d", &data);
+            local_obj_ptr_a = alloc_a(data);
+            break;
+        case 2:
+            printf("Input data: ");
+            scanf("%d", &data);
+            local_obj_ptr_b = alloc_b(data);
+            break;
+        case 3:
+            free(local_obj_ptr_a);
+            break;
+        case 4:
+            free(local_obj_ptr_b);
+            break;
+        case 5:
+            call_func_ptr(local_obj_ptr_a);
+            break;
+        case 6:
+            call_func_ptr(local_obj_ptr_b);
+            break;
+        case 7:
+            if(argc == 0) {
+                back_door(0);
+            }
+            return 0;
+        default:
+            break;
+        }
+    }
+    return 0;
+}
+
diff --git a/lab1-2/vul_list.c b/lab1-2/vul_list.c
new file mode 100644
index 0000000..e8a65c1
--- /dev/null
+++ b/lab1-2/vul_list.c
@@ -0,0 +1,105 @@
+#include <sys/mman.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int backdoor = 0;
+
+struct node {
+    int prio;
+    struct node* next;
+    struct node* prev;
+};
+
+struct prio_list {
+    struct node* first;
+};
+
+struct prio_list zlist;
+
+void add_to_tail(struct node* new_node, struct node* node_after) {
+    struct node* node_before = node_after->prev;
+    new_node->next = node_after;
+    new_node->prev = node_before;
+    node_before->next = new_node;
+    node_after->prev = new_node;
+}
+
+void add_node(struct node* new_node) {
+    struct node* cur = zlist.first;
+    struct node* node_before = zlist.first->prev;  //last
+    bool new_node_the_largest = 1;
+    do {
+        if(cur->prio > new_node->prio) {
+            node_before = cur->prev;
+            new_node_the_largest = 0;
+            break;
+        }
+        cur = cur->next; 
+    }
+    while(cur != zlist.first);
+
+    add_to_tail(new_node, cur);
+    if(cur == zlist.first && new_node_the_largest == 0) {  // new node needs to be inserted in the front
+        zlist.first = new_node;
+    }
+}
+
+struct node* alloc(int prio)
+{
+    struct node* new_node = malloc(sizeof(struct node));
+    new_node->prio = prio;
+    return new_node;
+}
+
+void main(int argc, char** argv) {
+    struct node* a_node = malloc(sizeof(struct node));
+    a_node->prio = 0;
+    a_node->prev = a_node;
+    a_node->next = a_node;
+    zlist.first = a_node;
+
+    int opt;
+    printf("Option menu:\n[1] add a node;\n[2] changing the prev pointer of the last node;\n[3] debugging feature (disabled);\n[4] exit;\n");
+    while(1){
+        printf("Input option: ");
+        scanf("%d", &opt);
+        char prev_str[20];
+        int prev;
+        switch(opt){
+            case 1:
+                printf("Input priority of the new node: ");
+                int prio;
+                scanf("%d", &prio);
+                struct node* new_node = alloc(prio);
+                add_node(new_node);
+		printf("Address: %p\n", new_node);
+                break;
+            case 2:
+                printf("Input the new prev pointer of the last node: ");
+                scanf("%10s", prev_str);
+                prev = (int)strtol(prev_str, NULL, 0);
+                printf("prev pointer: %x\n", prev);
+                zlist.first->prev->prev = (struct node*)prev;
+                break;
+            case 3:
+                printf("backdoor: %d\n", backdoor);
+                if(backdoor) {
+                    printf("debugging feature is enabled, will give a root shell\n");
+                    execve("/bin/sh", NULL, NULL);
+                }
+                else {
+                    printf("I'm sorry this feature is disabled\n");
+                }
+                break;
+            case 4:
+                return;
+            default:
+                break;
+        }   
+    }   
+
+
+}
author	Zi Zhou <zzhou007@ucr.edu>	2017-01-14 16:41:16 -0800
committer	GitHub <noreply@github.com>	2017-01-14 16:41:16 -0800
commit	6819d790ba65c26d95d7d9e4a053f946a4489765 (patch)
tree	eaaf3c4fb0a016ef4ef3172f6a6440f5867a144a
parent	b123072d22716da5f745335faf823c23d2516994 (diff)
download	towelroot-6819d790ba65c26d95d7d9e4a053f946a4489765.tar.gz towelroot-6819d790ba65c26d95d7d9e4a053f946a4489765.tar.bz2 towelroot-6819d790ba65c26d95d7d9e4a053f946a4489765.zip