Home > Net >  Void pointer and attributer constructor in a vulnerable code
Void pointer and attributer constructor in a vulnerable code

Time:12-24

I am supposed to find the vulnerability in the code and i feel its hidden either in the __attribute__((constructor)) or the pointer .Here i can make out that it's a void pointer but i have never encountered a pointer with () (wasnt able to find out either) so what type of a pointer is this and is the (void(*)()) in (void(*)())&name for type casting or something else?Also is does the attribute constructor here play any role it feels like an empty default constructor

#include <stdio.h>
#include <string.h>
//Ignore this thing
__attribute__((constructor))
void setup(){
  setvbuf(stdout,NULL,2,0);
  setvbuf(stderr,NULL,2,0);
  setvbuf(stdin,NULL,2,0);
}

int main()
{
  printf("What's you name?\n");
  char name[100];
  fgets(name,100,stdin);
  void(*Kekpointer)() = (void(*)())&name;
  Kekpointer();
  return 0;
}

i tried analyzing these functions so i came to the conclusion that pointer , the fgets function or the attribute constructor but i am not able to proceed further . i also got this hint " for challenge , your goal is to get a shell. Flag is stored on the remote server. Read the source code carefully and try to find out the vulnerability. This is a beginner level challenge !". but it didnt guide me anywhere. I am expecting more info on the pointer expecially

CodePudding user response:

On any modern hosted system this code is 100% safe. Memory allocated for name will not have executable attributes and any attempt to execute code from there will end in an exception.

You need to make this memory executable:

int main()
{
  char name[100];
  size_t pagesize = getpagesize();

  mprotect(name, pagesize,PROT_EXEC);

  printf("What's you name?\n");
  fgets(name,100,stdin);
  void(*Kekpointer)() = (void(*)())&name;
  Kekpointer();
  return 0;
}

CodePudding user response:

Re: what type of a pointer is this and is the "(void()())" in "(void()())&name" for type casting or something else?```:

The left-hand side:

void(*Kekpointer)() 

----> kekpointer is a pointer to a function taking no parameters and returning void (returning nothing).

The right-hand side:

(void(*)())&name

----> the & is the address-of operator. The typecast stands for a pointer to a function taking no parameters and returning void. So the address-of name has been type-casted to a pointer to a function taking no parameters and returning void (returning nothing), which matches the left-hand side.

The expression type-casts the name buffer to a function pointer, and then initialises the left-hand side with its address.

  • Related