diff options
-rw-r--r-- | lab1-2/2016-09-30-140359_751x518_scrot.png | bin | 0 -> 46758 bytes | |||
-rw-r--r-- | lab1-2/UAF.c | 99 | ||||
-rw-r--r-- | lab1-2/vul_list.c | 105 |
3 files changed, 204 insertions, 0 deletions
diff --git a/lab1-2/2016-09-30-140359_751x518_scrot.png b/lab1-2/2016-09-30-140359_751x518_scrot.png Binary files differnew file mode 100644 index 0000000..4a93d40 --- /dev/null +++ b/lab1-2/2016-09-30-140359_751x518_scrot.png diff --git a/lab1-2/UAF.c b/lab1-2/UAF.c new file mode 100644 index 0000000..92775cf --- /dev/null +++ b/lab1-2/UAF.c @@ -0,0 +1,99 @@ +#include <sys/mman.h> +#include <unistd.h> + #include <sys/types.h> + +//void add_to_tail(void* preferred_addr, int data, void* next, ) + +typedef struct +{ + int data; + void (*fp)(int); +}obj1; + +typedef struct +{ + void (*fp)(int); + int data; +}obj2; + +//typedef struct obj2 my_obj; +obj1* obj_ptr1; +obj2* obj_ptr2; +obj2* last_obj_ptr; + +void print_data(int data) +{ + printf("cur_data: %d\n", data); +} + +void back_door(int data) +{ + char* arg[]={"/system/bin/sh",NULL}; + execv("/system/bin/sh",arg); +} + +obj2* alloc_a(int data) { + obj_ptr2 = malloc(sizeof(obj2)); + obj_ptr2->data = data; + obj_ptr2->fp = &print_data; + return obj_ptr2; +} + +obj2* alloc_b(int data) { + obj_ptr1 = malloc(sizeof(obj1)); + obj_ptr1->data = data; + obj_ptr1->fp = &print_data; + return obj_ptr1; +} + +void call_func_ptr(obj2* local_obj_ptr) +{ + printf("data: %d %p\n",local_obj_ptr->data, local_obj_ptr->fp); + (*(local_obj_ptr->fp))(local_obj_ptr->data); +} + +int main(int argc, char** args){ + int opt; + int data; + obj2* local_obj_ptr_a; + obj2* local_obj_ptr_b; + printf("Option menu:\n[1] create a node_a;\n[2] create a node_b;\n[3] free a node_a;\n[4] free a node_b;\n[5] print node_a data;\n[6] print node_b data;\n[7] exit;\n"); + printf("back_door addr: %p\n", &back_door); + while(1){ + printf("Input option: "); + scanf("%d", &opt); + switch(opt){ + case 1: + printf("Input data: "); + scanf("%d", &data); + local_obj_ptr_a = alloc_a(data); + break; + case 2: + printf("Input data: "); + scanf("%d", &data); + local_obj_ptr_b = alloc_b(data); + break; + case 3: + free(local_obj_ptr_a); + break; + case 4: + free(local_obj_ptr_b); + break; + case 5: + call_func_ptr(local_obj_ptr_a); + break; + case 6: + call_func_ptr(local_obj_ptr_b); + break; + case 7: + if(argc == 0) { + back_door(0); + } + return 0; + default: + break; + } + } + return 0; +} + diff --git a/lab1-2/vul_list.c b/lab1-2/vul_list.c new file mode 100644 index 0000000..e8a65c1 --- /dev/null +++ b/lab1-2/vul_list.c @@ -0,0 +1,105 @@ +#include <sys/mman.h> +#include <unistd.h> +#include <sys/types.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> + +int backdoor = 0; + +struct node { + int prio; + struct node* next; + struct node* prev; +}; + +struct prio_list { + struct node* first; +}; + +struct prio_list zlist; + +void add_to_tail(struct node* new_node, struct node* node_after) { + struct node* node_before = node_after->prev; + new_node->next = node_after; + new_node->prev = node_before; + node_before->next = new_node; + node_after->prev = new_node; +} + +void add_node(struct node* new_node) { + struct node* cur = zlist.first; + struct node* node_before = zlist.first->prev; //last + bool new_node_the_largest = 1; + do { + if(cur->prio > new_node->prio) { + node_before = cur->prev; + new_node_the_largest = 0; + break; + } + cur = cur->next; + } + while(cur != zlist.first); + + add_to_tail(new_node, cur); + if(cur == zlist.first && new_node_the_largest == 0) { // new node needs to be inserted in the front + zlist.first = new_node; + } +} + +struct node* alloc(int prio) +{ + struct node* new_node = malloc(sizeof(struct node)); + new_node->prio = prio; + return new_node; +} + +void main(int argc, char** argv) { + struct node* a_node = malloc(sizeof(struct node)); + a_node->prio = 0; + a_node->prev = a_node; + a_node->next = a_node; + zlist.first = a_node; + + int opt; + printf("Option menu:\n[1] add a node;\n[2] changing the prev pointer of the last node;\n[3] debugging feature (disabled);\n[4] exit;\n"); + while(1){ + printf("Input option: "); + scanf("%d", &opt); + char prev_str[20]; + int prev; + switch(opt){ + case 1: + printf("Input priority of the new node: "); + int prio; + scanf("%d", &prio); + struct node* new_node = alloc(prio); + add_node(new_node); + printf("Address: %p\n", new_node); + break; + case 2: + printf("Input the new prev pointer of the last node: "); + scanf("%10s", prev_str); + prev = (int)strtol(prev_str, NULL, 0); + printf("prev pointer: %x\n", prev); + zlist.first->prev->prev = (struct node*)prev; + break; + case 3: + printf("backdoor: %d\n", backdoor); + if(backdoor) { + printf("debugging feature is enabled, will give a root shell\n"); + execve("/bin/sh", NULL, NULL); + } + else { + printf("I'm sorry this feature is disabled\n"); + } + break; + case 4: + return; + default: + break; + } + } + + +} |