-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexplore_me.cpp
50 lines (42 loc) · 1.13 KB
/
explore_me.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include <cstring>
#include "explore_me.h"
#include "utils.h"
static long insecureEncrypt(long input);
static void trigger_global_buffer_overflow(const std::string &c);
static void trigger_use_after_free();
void ExploreSimpleChecks(int a, int b, std::string c) {
if (a >= 20000) {
if (b >= 2000000) {
if (b - a < 100000) {
if (c == "Attacker") {
trigger_global_buffer_overflow(c);
}
}
}
}
}
void ExploreComplexChecks(long a, long b, std::string c) {
if (EncodeBase64(c) == "SGV5LCB3ZWw=") {
if (insecureEncrypt(a) == 0x4e9e91e6677cfff3L) {
if (insecureEncrypt(b) == 0x4f8b9fb34431d9d3L) {
trigger_use_after_free();
}
}
}
}
static long insecureEncrypt(long input) {
long key = 0xefe4eb93215cb6b0L;
return input ^ key;
}
char gBuffer[5] = {0};
static void trigger_global_buffer_overflow(const std::string &c) {
memcpy(gBuffer, c.c_str(), c.length());
printf("%s\n", gBuffer);
}
static void trigger_use_after_free() {
auto *buffer = static_cast<char *>(malloc(6));
memcpy(buffer, "hello", 5);
buffer[5] = '\0';
free(buffer);
printf("%s\n", buffer);
}