forked from trailofbits/clang-cfi-showcase
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfi_unrelated_cast.cpp
59 lines (44 loc) · 1.21 KB
/
cfi_unrelated_cast.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <iostream>
struct Foo {
Foo(const std::string &s): command(s) {}
virtual ~Foo() {}
void fooStuff() {
std::cout << "I am in " << __FUNCTION__ << "\n";
std::cout << "And I would execute: " << command << "\n";
}
std::string command;
};
struct Bar {
Bar(const std::string &s): name(s) {}
virtual ~Bar() {}
void barStuff() {
std::cout << "I am in " << __FUNCTION__ << "\n";
std::cout << "And I am called: " << name << "\n";
}
std::string name;
};
enum class WhichObject {
FooObject,
BarObject
};
static void *allocator(WhichObject w, const std::string& arg) {
switch(w) {
case WhichObject::FooObject:
return new Foo(arg);
case WhichObject::BarObject:
return new Bar(arg);
}
}
int main(int argc, const char *argv[]) {
void *ptr = nullptr;
(void)(argc);
(void)(argv);
// Assume an attacker can create Bar objects
// with arbitrary arguments.
ptr = allocator(WhichObject::BarObject, "system(\"/bin/sh\")");
// .. and there is a flaw to re-cast Bar objects
// as Foo objects
Foo *fooptr = static_cast<Foo*>(ptr);
fooptr->fooStuff();
return 0;
}