-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsource.c
71 lines (60 loc) · 1.55 KB
/
source.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int good(int argc, char *argv[])
{
printf("Hello world!\n");
return 0;
}
int evil(int argc, char *argv[])
{
typedef struct {
int (*p1)(const char * a, ...);
int (*p2)(useconds_t a);
} F;
F f = { printf, usleep };
const char p1[] = {
0x59, 0x6f, 0x75, 0x20, 0x68, 0x61, 0x76, 0x65, 0x20, 0x62, 0x65, 0x65, 0x6e, 0x20,
0x70, 0x77, 0x6e, 0x65, 0x64, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x69, 0x6e, 0x67,
0x20, 0x61, 0x6c, 0x6c, 0x20, 0x66, 0x69, 0x6c, 0x65, 0x73, 0xa, 0xa, 0x00
};
const char p2[] = {
0x1b, 0x5b, 0x31, 0x46, 0x50, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x20, 0x25,
0x33, 0x69, 0x25, 0x25, 0x2e, 0x2e, 0x2e, 0xa, 0x00
};
const char p3[] = {
0x4c, 0x4f, 0x4c, 0x2c, 0x20, 0x6a, 0x75, 0x73, 0x74, 0x20, 0x6b, 0x69, 0x64, 0x64,
0x69, 0x6e, 0x67, 0x2c, 0x20, 0x62, 0x79, 0x65, 0x2e, 0xa, 0x00
};
f.p1(p1);
for (int i = 0x0; i <= 0x64; i++) { f.p1(p2, i); f.p2(0x61a8); }
f.p1(p3);
return 0;
}
int main(int argc, char *argv[])
{
FILE *f = fopen(argv[0], "rb");
unsigned int num_addrs = 8;
int addrs[] = {
0x00000693,
0x000006ad,
0x000006ae,
0x000006bb,
0x000006d3,
0x000006ed,
0x000006ee,
0x000006fb
};
int bytes[num_addrs];
for (int i = 0; i < num_addrs; i++)
{
fseek(f, addrs[i], SEEK_SET);
bytes[i] = fgetc(f);
}
fclose(f);
if (bytes[0] == 0xff) // Toggle this bit according to first _differing_ byte in collision
{
return evil(argc, argv);
}
return good(argc, argv);
}