|

楼主 |
发表于 2015-8-14 20:43:26
|
显示全部楼层
Format Strings #2:
- /* fs2.c *
- * specially crafted to feed your brain by gera */
- /* Can you tell me what's above the edge? */
- int main(int argv,char **argc) {
- char buf[256];
- snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
- snprintf(buf,sizeof buf,"%s%c%c%hn",argc[2]);
- }
复制代码
Format Strings #3:
- /* fs3.c *
- * specially crafted to feed your brain by riq */
- /* Not enough resources? */
- int main(int argv,char **argc) {
- char buf[256];
- snprintf(buf,sizeof buf,"%s%c%c%hn",argc[1]);
- }
复制代码
Format Strings #4:
- /* fs4.c *
- * specially crafted to feed your brain by gera */
- /* Have you ever heard about code reusability? */
- int main(int argv,char **argc) {
- char buf[256];
- snprintf(buf,sizeof buf,"%s%6$hn",argc[1]);
- printf(buf);
- }
复制代码
Format Strings #5:
- /* fs5.c *
- * specially crafted to feed your brain by gera */
- /* go, go, go! */
- int main(int argv,char **argc) {
- char buf[256];
- snprintf(buf,sizeof buf,argc[1]);
- /* this line'll make your life easier */
- // printf("%s\n",buf);
- }
复制代码
SIGNALS
Signals #1:
- /* s1.c *
- * specially crafted to feed your brain by gera */
- /* now I've got it! */
- int main(int argv,char **argc) {
- char *pbuf=(char*)malloc(strlen(argc[2])+1);
- char buf[256];
- signal(10,main);
- strcpy(buf,argc[1]);
- for (;*pbuf++=*(argc[2]++););
- while(1);
- }
复制代码
Signals #2:
- /* s2.c *
- * specially crafted to feed your brain by gera */
- /* do you resign? */
- int main(int argv,char **argc) {
- char *pbuf=(char*)malloc(strlen(argc[2])+1);
- char buf[256];
- signal(10,10);
- strcpy(buf,argc[1]);
- for (;*pbuf++=*(argc[2]++););
- while(1);
- }
复制代码
Signals #3:
- /* s3.c *
- * specially crafted to feed your brain by gera */
- /* Give me a sign!!!! */
- int main(int argv,char **argc) {
- char *pbuf=(char*)malloc(strlen(argc[2])+1);
- char buf[256];
- alarm(1);
- strcpy(buf,argc[1]);
- for (;*pbuf++=*(argc[2]++););
- while(1);
- }
复制代码
Signals #4:
- /* s4.c *
- * specially crafted to feed your brain by gera */
- /* recurring nightmare */
- int main(int argv,char **argc) {
- char *pbuf=(char*)malloc(strlen(argc[2])+1);
- char buf[256];
- strcpy(buf,argc[1]);
- for (;*pbuf++=*(argc[2]++););
- while(1);
- }
复制代码
ESOTERIC
Esoteric #1:
- /* e1.c *
- /* specially crafted to feed your brain by gera */
- /* jumpy vfprintf, Batman! */
- int main(int argv,char **argc) {
- /* Can you do it changing the stack? */
- /* Can you do it without changing it? */
- printf(argc[1]);
- while(1);
- }
复制代码
Esoteric #2:
- /* e2.c *
- /* specially crafted to feed your brain by gera */
- /* Now, your misson is to make abo1 act like this other program:
- *
- char buf[100];
- while (1) {
- scanf("%100s",buf);
- system(buf);
- }
- * But, you cannot execute code in stack.
- */
- int main(int argv,char **argc) {
- char buf[256];
- strcpy(buf,argc[1]);
- }
复制代码
Esoteric #3:
- /* e3.c *
- * specially crafted to feed your brain by gera */
- /* are you an enviromental threat */
- char buf[256];
- int main(int argv,char **argc) {
- strcpy(buf,argc[1]);
- setenv("ABO",argc[2],1);
- while(1);
- }
复制代码
Esoteric #4:
- /* e4.c *
- * specially crafted to feed your brain by gera */
- /* %what the hell? */
- char buf[256];
- int main(int argv,char **argc) {
- strcpy(buf,argc[1]);
- printf("live at 100%!");
- while(1);
- }
复制代码
Esoteric #5:
- /* e5.c *
- * specially crafted to feed your brain by gera */
- /* is this possible? */
- char buf[256];
- int main(int argv,char **argc) {
- strcpy(buf,argc[1]);
- perror(argc[2]);
- while(1);
- }
复制代码
StackGuarded
StackGuarded #1:
- /* sg1.c *
- * specially crafted to feed your brain by gera */
- int func(char *msg) {
- char buf[80];
- strcpy(buf,msg);
- // toupper(buf); // here just to give func() "some" sence
- strcpy(msg,buf);
- exit(1);
- }
- int main(int argv, char** argc) {
- func(argc[1]);
- }
复制代码
StackGuarded #2:
- /* sg2.c *
- * specially crafted to feed your brain by gera */
- void func(char *msg) {
- char buf[80];
- strcpy(buf,msg);
- }
- int main(int argv, char** argc) {
- func(argc[1]);
- }
复制代码
StackGuarded #3:
- /* sg3.c *
- * specially crafted to feed your brain by gera */
- char *read_it(char *msg) {
- char buf[128];
- int count;
- buf[read(0,buf,sizeof buf)]=0;
- return strdup(buf);
- }
- int main(int argv, char **argc) {
- char *msg = malloc(1000);
- snprintf(msg,1000,"User: %s",read_it(msg));
- }
复制代码
StackGuarded #4:
- /* sg4.c *
- * specially crafted to feed your brain by gera */
- // XXX: Add real encryption here
- #define decrypt(dest,src) strcpy(dest,src)
- int check(char *user) {
- char temp[80];
- decrypt(temp,user);
- // XXX: add some real checks in the future
- return !strcmp(temp,"gera");
- }
- // XXX: Add real support for internationalization
- #define LANG_MSG(dest,pattern) strcpy(dest,pattern);
- int main(int argv, char **argc) {
- char msg[100];
- LANG_MSG(msg,"Get out of here!\n");
- if (!check(argc[1])) {
- printf(msg);
- exit(1);
- }
- exit(0);
- }
复制代码
StackGuarded #5:
- /* sg5.c *
- * specially crafted to feed your brain by gera */
- int need_to_check = 1; // XXX: Add global configuration
- // XXX: Add real encryption here
- #define decrypt(dest,src) strcpy(dest,src)
- int check(char *user) {
- char temp[80];
- decrypt(temp,user);
-
- // XXX: add some real checks in the future
- return !strcmp(temp,"gera");
- }
- int main(int argv, char **argc) {
- int user_ok;
- user_ok = check(argc[1]);
- if (!user_ok && need_to_check) exit(1);
- exit(0);
- }
复制代码
StackGuarded #6:
- /* sg6.c *
- * specially crafted to feed your brain by gera */
- // XXX: Add real encryption here
- #define decrypt(dest,src) strcpy(dest,src)
- int get_username(char *user) {
- char temp[80];
- decrypt(temp,user);
-
- return strdup(temp);
- }
- int main(int argv, char **argc) {
- char *user_name;
- user_name = get_username(argc[1]);
- printf("User name is '%s'\n",user_name);
- return 0;
- }
复制代码
Numeric
Numeric #1:
- /* n1.c *
- * specially crafted to feed your brain by gera */
- #include
- #include
- #include
- #define MAX_SIZE 80
- unsigned int atoul(char *str) {
- unsigned int answer=0;
- for (;*str && isdigit(*str);
- answer *= 10, answer += *str++-'0');
- return answer;
- }
- int main(int argv, char **argc) {
- char buf[MAX_SIZE],*pbuf=buf;
- int count = atoul(argc[1]);
-
- if (count >= MAX_SIZE) count = MAX_SIZE-1;
- while (count--) *pbuf++=getchar();
- *pbuf=0;
- }
复制代码
Numeric #2:
- /* n2.c *
- * specially crafted to feed your brain by gera */
- #include
- #include
- #include
- #define MAX_SIZE 80
- unsigned int atoul(char *str) {
- unsigned int answer=0;
- for (;*str && isdigit(*str);
- answer *= 10, answer += *str++-'0');
- return answer;
- }
- int main(int argv, char **argc) {
- char *pbuf,buf[MAX_SIZE];
- int count = atoul(argc[1]);
-
- if (count >= MAX_SIZE) count = MAX_SIZE-1;
- pbuf=buf;
- while (count--) *pbuf++=getchar();
- *pbuf=0;
- }
复制代码
Numeric #3:
- /* n3.c *
- * specially crafted to feed your brain by gera */
- #include
- #include
- unsigned int count;
- char **args;
- int main(int argv, char **argc) {
- char buf[80];
- fscanf(stdin, "%u", &count);
- args = alloca(count*sizeof(char*));
- while (count--) {
- if (!fgets(buf,sizeof buf,stdin)) break;
- *args++=strdup(buf);
- }
- }
复制代码
Numeric #4:
- /* n4.c *
- * specially crafted to feed your brain by gera */
- #include
- #include
- unsigned int count;
- int main(int argv, char **argc) {
- char buf[80],**args;
-
- fscanf(stdin, "%u", &count);
- args = alloca(count*sizeof(char*));
- while (count--) {
- if (!fgets(buf,sizeof buf,stdin)) break;
- *args++=strdup(buf);
- }
- }
复制代码
Numeric #5:
- /* n5.c *
- * specially crafted to feed your brain by gera */
- #include
- int main(int argv, char **argc) {
- char **args,buf[80];
- unsigned int index,count;
-
- fscanf(stdin, "%u", &count);
- args = malloc(count*sizeof(char*));
- while (1) {
- fscanf(stdin,"%u %80s", &index, buf);
- if (index<count) args[index] = strdup(buf);
- else break;
- }
- }
复制代码 |
|