Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign up| #include <iostream> | |
| struct Foo { | |
| Foo(const std::string &s): command(s) {} | |
| virtual ~Foo() {} | |
| void fooStuff() { | |
| std::cout << "I am in " << __FUNCTION__ << "\n"; | |
| std::cout << "And I would execute: " << command << "\n"; | |
| } | |
| std::string command; | |
| }; | |
| struct Bar { | |
| Bar(const std::string &s): name(s) {} | |
| virtual ~Bar() {} | |
| void barStuff() { | |
| std::cout << "I am in " << __FUNCTION__ << "\n"; | |
| std::cout << "And I am called: " << name << "\n"; | |
| } | |
| std::string name; | |
| }; | |
| enum class WhichObject { | |
| FooObject, | |
| BarObject | |
| }; | |
| static void *allocator(WhichObject w, const std::string& arg) { | |
| switch(w) { | |
| case WhichObject::FooObject: | |
| return new Foo(arg); | |
| case WhichObject::BarObject: | |
| return new Bar(arg); | |
| } | |
| } | |
| int main(int argc, const char *argv[]) { | |
| void *ptr = nullptr; | |
| (void)(argc); | |
| (void)(argv); | |
| // Assume an attacker can create Bar objects | |
| // with arbitrary arguments. | |
| ptr = allocator(WhichObject::BarObject, "system(\"/bin/sh\")"); | |
| // .. and there is a flaw to re-cast Bar objects | |
| // as Foo objects | |
| Foo *fooptr = static_cast<Foo*>(ptr); | |
| fooptr->fooStuff(); | |
| return 0; | |
| } |