-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest_mte_exploits.cpp
64 lines (54 loc) · 1.26 KB
/
test_mte_exploits.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#include <stdlib.h> // pulls in declaration of malloc, free
#include <string.h> // pulls in declaration for strlen.
#include <stdio.h> // pulls in printf
struct S
{
char arr1[10];
char* arr2;
};
void setVal(char* p, size_t id, char val)
{
p[id] = val;
}
void incVal(char* p, size_t id)
{
p[id] += 1;
}
void src_code(int ind1, int ind2, char val)
{
struct S obj;
obj.arr2 = (char*) malloc(20);
// over writing tag to 0:
obj.arr1[ind1] = 0;
// accessing metadata:
obj.arr2[ind2] = val;
}
void src_code_chromium(int ind1, int ind2, char val)
{
char* arr1 = (char*) malloc(64);
struct S obj;
obj.arr2 = arr1;
free(arr1);
// arr2 is now a dangling pointer
// increment the tag of arr2 using intra-object overflow:
obj.arr1[ind1] += 1;
// access freed memory:
obj.arr2[ind2] = val;
}
int main()
{
// Listing 1 using Intra-object overflow:
struct S obj;
obj.arr2 = (char*) malloc(10);
printf("Addr arr2 before overflow: %p \n", obj.arr2);
setVal(obj.arr1, 11, 0);
printf("Addr arr2 after overflow: %p \n", obj.arr2);
// now we can read/modify metadata of arr1
setVal(obj.arr2, -16, 10);
// we can also read freed memory:
setVal(obj.arr2, 32, 10);
// Later: Listing 1 using type confusion:
src_code(11, -16, 7);
src_code_chromium(11, 0, 10);
return 0;
}