-
Notifications
You must be signed in to change notification settings - Fork 3
/
find_exploit.c
83 lines (63 loc) · 1.6 KB
/
find_exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#include "all.h"
#if 0
int (*real_vsnprintf)(char *, size_t, const char *, va_list);
library_info_t *find_owning_lib(uintptr_t addr)
{
library_info_t *lib = lib_first();
do
{
if (addr >= lib->baseaddr &&
addr < lib->baseaddr + lib->size) {
return lib;
}
} while ((lib = lib_next(lib)) != NULL);
return NULL;
}
bool addr_is_in_rodata(uintptr_t addr)
{
library_info_t *lib = lib_first();
do
{
if (addr >= lib->baseaddr + lib->rodata_off &&
addr < lib->baseaddr + lib->rodata_off + lib->rodata_size) {
return true;
}
} while ((lib = lib_next(lib)) != NULL);
return false;
}
/* OVERRIDE: vsnprintf */
int vsnprintf(char *s, size_t n, const char *format, va_list arg)
{
if (real_vsnprintf == NULL) {
real_vsnprintf = dlsym(RTLD_NEXT, "vsnprintf");
}
uintptr_t fmt_addr = (uintptr_t)format;
if (strstr(format, "%") == NULL) {
if (!addr_is_in_rodata(fmt_addr)) {
library_info_t *lib = find_owning_lib(fmt_addr);
pr_warn("%s: found format string not in rodata!\n", __func__);
pr_debug(" fmtstr: %08x \"%s\"\n", fmt_addr, format);
if (lib == NULL) {
pr_debug(" lib: none\n");
} else {
pr_debug(" lib: %s\n", lib->name);
}
BACKTRACE();
}
}
return real_vsnprintf(s, n, format, arg);
}
#if 0
void* dlopen(const char* __file, int __mode)
{
if (real_dlopen == NULL) {
real_dlopen = dlsym(RTLD_NEXT, "dlopen");
}
void* handle = (*real_dlopen)(__file, __mode);
if (__file != NULL && handle != NULL) {
lib_hook(__file, handle);
}
return handle;
}
#endif
#endif