Stack learn knowledge, to implement a simple stack overflow attacks.
FIG code below, main function to run only normal_func function, by array bounds, normal_func modify the return address, the eject_func assignment function address to normal_func return address, to achieve eject_fun calls.
#include <cstdio> #include <string.h> #include <iostream> #define LEN 0 #define ADDR 0x0 using namespace std; void eject_func() { cout<<"eject_func"<<endl; } void normal_func(char* buf, int len) { char tmpBuf[16] = {0xff}; memcpy (tmpBuf-LEN, LEN + buf, len); cout<<"normal_func"<<endl; } int main(int argc, char** argv) { char buf[64] = {0}; long eject_func_addr = ADDR; memcpy(buf+LEN,&eject_func_addr,8); normal_func(buf,64); cout<<"main\n"<<endl; return 0; }
Let us not know eject_func function of the virtual memory address, do not know the length of the bottom of the stack from the address normal_func function stack frames and local variables tmpBuf, you first define the two macros ADDR and LEN . Compile the code above, then disassemble.
The above and found two eject_func, normal_func met function, reuse c ++ filt confirmation
This time know eject_func function address 0x400916,
Look normal_func disassembly functions, assembly instructions, I do not understand, look about, suspect LEN length identified as 40 , gdb debugging a look:
Main function call normal_func the next instruction is 400a19
400a14: e8 20 ff ff ff callq 400939 <_Z11normal_funcPci>
400a19: be 4b 0b 40 00 mov $0x400b4b,%esi
The offset can be calculated from the size indeed 40 ;
Modify the top of the code
#define LEN 40
#define ADDR 0x400916
Recompiled to run, run the following results
Seen, main function call after normal_func next instruction stack, after the copy to the address of the string eject_func bounds, so in normal_func not then run after running main function in the next instruction, but eject_func function, thereby achieve stack overflow attacks.