38 lines
1.1 KiB
C
38 lines
1.1 KiB
C
|
// usage: bufoverflow <filename>
|
||
|
|
//
|
||
|
|
// files with more than 512B content will cause overflows.
|
||
|
|
// smaller files work just fine.
|
||
|
|
|
||
|
|
#include <stdint.h>
|
||
|
|
#include <string.h>
|
||
|
|
#include <stdio.h>
|
||
|
|
|
||
|
|
/*
|
||
|
|
before exploit after exploit
|
||
|
|
|
||
|
|
+++++++++++++ +++++++++++++
|
||
|
|
+ saved RIP + <-- rbp+8 + &shellc +---\
|
||
|
|
+++++++++++++ +++++++++++++ |
|
||
|
|
+ saved RBP + <-- rbp + anything + |
|
||
|
|
+++++++++++++ +++++++++++++ |
|
||
|
|
+ + + + |
|
||
|
|
+ + + + |
|
||
|
|
... ... ... ... |
|
||
|
|
+ + + + |
|
||
|
|
+ (512 B) + + + |
|
||
|
|
+ array + <-- rbp-0x200 + shellcode +<--/
|
||
|
|
+++++++++++++ rsp +++++++++++++
|
||
|
|
*/
|
||
|
|
|
||
|
|
int mystr(char *fn) {
|
||
|
|
char mystr[512];
|
||
|
|
register FILE *f = fopen(fn, "rb");
|
||
|
|
fread(mystr, 1024, 1, f); // VULNERABLE! reading 1024B into 512B buf
|
||
|
|
return mystr[0];
|
||
|
|
}
|
||
|
|
|
||
|
|
int main(int argc, char *argv[]) {
|
||
|
|
if (argc != 2) { printf("too few args."); return 1; }
|
||
|
|
return mystr(argv[1]);
|
||
|
|
}
|