SHARE
TWEET

Untitled

a guest Jun 8th, 2016 1,383 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <stdio.h>
  2. #include <string.h>
  3. #include <stdint.h>
  4. #include <sys/mman.h>
  5. #define HEAP_SIZE 128
  6. #define MMAP_ADDRESS 0xFFFF1000
  7. int main(void)
  8. {
  9.     unsigned char* heap_start, *heap_end;
  10.     char b[0xFFFF]; /* This is the buffer the attacker sent */
  11.     uint16_t bsize = 0xFFFF; /* And this is the size of that buffer */
  12.     memset(b, 0xAA, bsize);
  13.  
  14.     /* We want to make a copy of it, so allocate some memory */
  15.     /* This is usually done with malloc, but for demonstration purposes mmap() is used here */
  16.     heap_start = mmap((void*)MMAP_ADDRESS, HEAP_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  17.  
  18.     if ( heap_start != (void*)MMAP_ADDRESS)
  19.     {
  20.         printf("Error allocating memory\n");
  21.         return 1;
  22.     }
  23.  
  24.     /* Determine the address of the end of the buffer */
  25.     heap_end = heap_start + HEAP_SIZE;
  26.  
  27.     /* Check if the attacker-supplied size fits within our buffer */
  28.     if ( heap_start + bsize < heap_end )
  29.     {
  30.         /* Input buffer seems to fit within our heap-allocated buffer.. or so it seems */
  31.  
  32.         /* Segmentation fault */
  33.         memcpy(heap_start, b, bsize);
  34.     }
  35. }
RAW Paste Data
Top