I am supposed to find the vulnerability in the code and i feel its hidden either in the __attribute__((constructor))
or the pointer .Here i can make out that it's a void pointer but i have never encountered a pointer with () (wasnt able to find out either) so what type of a pointer is this and is the (void(*)())
in (void(*)())&name
for type casting or something else?Also is does the attribute constructor here play any role it feels like an empty default constructor
#include <stdio.h>
#include <string.h>
//Ignore this thing
__attribute__((constructor))
void setup(){
setvbuf(stdout,NULL,2,0);
setvbuf(stderr,NULL,2,0);
setvbuf(stdin,NULL,2,0);
}
int main()
{
printf("What's you name?\n");
char name[100];
fgets(name,100,stdin);
void(*Kekpointer)() = (void(*)())&name;
Kekpointer();
return 0;
}
i tried analyzing these functions so i came to the conclusion that pointer , the fgets function or the attribute constructor but i am not able to proceed further . i also got this hint " for challenge , your goal is to get a shell. Flag is stored on the remote server. Read the source code carefully and try to find out the vulnerability. This is a beginner level challenge !". but it didnt guide me anywhere. I am expecting more info on the pointer expecially
CodePudding user response:
On any modern hosted system this code is 100% safe. Memory allocated for name
will not have executable attributes and any attempt to execute code from there will end in an exception.
You need to make this memory executable:
int main()
{
char name[100];
size_t pagesize = getpagesize();
mprotect(name, pagesize,PROT_EXEC);
printf("What's you name?\n");
fgets(name,100,stdin);
void(*Kekpointer)() = (void(*)())&name;
Kekpointer();
return 0;
}
CodePudding user response:
Re: what type of a pointer is this and is the "(void()())" in "(void()())&name" for type casting or something else?```:
The left-hand side:
void(*Kekpointer)()
----> kekpointer
is a pointer to a function taking no parameters and returning void
(returning nothing).
The right-hand side:
(void(*)())&name
----> the &
is the address-of
operator. The typecast stands for a pointer to a function taking no parameters and returning void
. So the address-of
name
has been type-casted to a pointer to a function taking no parameters and returning void
(returning nothing), which matches the left-hand side.
The expression type-casts the name
buffer to a function pointer, and then initialises the left-hand side with its address.