Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <string.h>
- #include <stdint.h>
- #include <sys/mman.h>
- #define HEAP_SIZE 128
- #define MMAP_ADDRESS 0xFFFF1000
- int main(void)
- {
- unsigned char* heap_start, *heap_end;
- char b[0xFFFF]; /* This is the buffer the attacker sent */
- uint16_t bsize = 0xFFFF; /* And this is the size of that buffer */
- memset(b, 0xAA, bsize);
- /* We want to make a copy of it, so allocate some memory */
- /* This is usually done with malloc, but for demonstration purposes mmap() is used here */
- heap_start = mmap((void*)MMAP_ADDRESS, HEAP_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
- if ( heap_start != (void*)MMAP_ADDRESS)
- {
- printf("Error allocating memory\n");
- return 1;
- }
- /* Determine the address of the end of the buffer */
- heap_end = heap_start + HEAP_SIZE;
- /* Check if the attacker-supplied size fits within our buffer */
- if ( heap_start + bsize < heap_end )
- {
- /* Input buffer seems to fit within our heap-allocated buffer.. or so it seems */
- /* Segmentation fault */
- memcpy(heap_start, b, bsize);
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
