最简单的一道题,考点是UAF。说是UAF但是其实根本就不算是真正的UAF利用,无非就是对释放的内存块进行同大小的占位。因为程序中会把内存块的内容作为system函数的参数,所以只要重新占位并写入/bin/sh就可以了,这道题还是相当简单的。
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(_bss_start, 0LL);
puts("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?");
if ( fgets(&buf, 50, stdin) )
{
v4 = strtol(&buf, 0LL, 0);
v5 = v4;
v6 = v4 >> 3;
bianhuan = (v4 >> 3) & 0xFFFFFFFFFFFFF000LL;
if ( mprotect((void *)bianhuan, 4096uLL, 7) )
{
perror("mprotect1");
}
else
{
v3 = 1;
*(_BYTE *)v6 ^= 1 << (v5 & 7);
if ( mprotect((void *)bianhuan, 0x1000uLL, 5) )
{
perror("mprotect2");
}
else
{
puts("WAS IT WORTH IT???");
v3 = 0;
}
}
}
}