-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuse_after_free_fix.c
164 lines (131 loc) · 5.5 KB
/
use_after_free_fix.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#include <time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
printf("Okay, so here's what YOU need to do...\n");
printf("You have access to the source code...\n");
printf("Try and become root so you can execute a command of your choice and drop a shell...\n");
printf("This the patched version so you prolly neva gon be root sucks2suck lol!\n");
printf("Type shit Type shit!\n");
time_t start_time;
time(&start_time);
char * username = 0;
char * password = 0;
int flag = 0;
while(1)
{
// Print username and password (with address) to keep a track of the variables
if(username){
printf("USERNAME ADDRESS: %x\nUSERNAME: %s\n", username, username);
}
if(password){
printf("PASSWORD ADDRESS: %x\nPASSWORD: %s\n", password, password);
}
printf("1: Username\n");
printf("2: Password\n");
printf("3: Reset\n");
printf("4: Login\n");
printf("5: Exit\n");
printf("Choose an option [1-5]: ");
int choice = 0;
scanf("%d", &choice);
switch(choice)
{
case 1:
// Save username
username = malloc(20*sizeof(char));
printf("Enter username: ");
scanf("%254s", username);
// "root" username not allowed -> set username to ""
if(!strcmp(username, "root"))
{
printf("[root]: Ain't no way it's that easy. Try again fool!\n");
strcpy(username, "");
}
break;
case 2:
// Save password
if (!username){
printf("What tf are you setting a password for? Set a username first\n");
break;
}
password = malloc(20*sizeof(char));
printf("Enter password: ");
scanf("%254s", password);
printf("Bruh! My grandmother is stronger than that password!\n");
break;
case 3:
if (!password && !username){
printf("Do you want me to reset yo ass? Use your brains man!\n");
printf("How tf you gonna reset smth that don't exist!\n");
break;
}
free(password);
free(username);
// Ensure no dangling pointers exist
password = NULL;
username = NULL;
break;
case 4:
if (!password || !username){
printf("How tf you gonna log in without both credentials [username & password] dumbass! Set them up first\n");
break;
}
char * temp_uname = (char*)malloc(20*sizeof(char));
char * temp_pwd = (char*)malloc(20*sizeof(char));
printf("Enter username: ");
scanf("%254s", temp_uname);
printf("Enter password: ");
scanf("%254s", temp_pwd);
// root does not need to authenticate
if(!strcmp(username, "root"))
{
time_t end_time;
time(&end_time);
double time_spent = difftime(end_time, start_time);
printf("You took %.2f seconds...\n", time_spent);
flag = 1;
printf("Congratulations! You figured out how to exploit the vulnerability and drop a shell you fkn nerd!\n");
printf("---SOME PRIVILEGED SHIT GOING ON HERE---\n");
char * command = (char*)malloc(20*sizeof(char));
printf("$ Trying to mimic a shell. Enter a command cuz u root my g: ");
scanf("%254s", command);
system(command);
free(command);
command = NULL;
exit(0);
}
if(!strcmp(temp_uname, username) && !strcmp(temp_pwd, password)){
// printf("%s -- %s -- %s -- %s\n", temp_uname, username, temp_pwd, password);
printf("Logged in successfully but DID NOT drop a shell sucka! Not as smart as you thought you were lmao!\n");
}
else{
printf("Incorrect username or password! Try again dumbass!\n");
}
free(temp_pwd);
free(temp_uname);
temp_uname = NULL;
temp_pwd = NULL;
break;
case 5:
time_t end_time;
time(&end_time);
double time_spent = difftime(end_time, start_time);
if (flag == 0){
printf("You just wasted %.2f seconds!\n", time_spent);
printf("Seems like you gave up on trying to drop a shell! Sucks to be You(se-After-Free)\n");
printf("This the patched version dumbass, I literally said that before we started! You neva gon be root\n");
}
else{
printf("You took %.2f seconds...\n", time_spent);
printf("Congratulations! You figured out how to exploit the vulnerability and drop a shell you fkn nerd!\n");
}
exit(0);
default:
printf("Invalid Option! Try Again Dipshit!\n");
break;
}
}
}