Stack learn knowledge, to implement a simple stack overflow attacks.
FIG code below, main function to run only normal_func function, by array bounds, normal_func modify the return address, the eject_func assignment function address to normal_func return address, to achieve eject_fun calls.
#include <cstdio>
#include <string.h>
#include <iostream>
#define LEN 0
#define ADDR 0x0
using namespace std;
void eject_func()
{
cout<<"eject_func"<<endl;
}
void normal_func(char* buf, int len)
{
char tmpBuf[16] = {0xff};
memcpy (tmpBuf-LEN, LEN + buf, len);
cout<<"normal_func"<<endl;
}
int main(int argc, char** argv)
{
char buf[64] = {0};
long eject_func_addr = ADDR;
memcpy(buf+LEN,&eject_func_addr,8);
normal_func(buf,64);
cout<<"main\n"<<endl;
return 0;
}
Let us not know eject_func function of the virtual memory address, do not know the length of the bottom of the stack from the address normal_func function stack frames and local variables tmpBuf, you first define the two macros ADDR and LEN . Compile the code above, then disassemble.
The above and found two eject_func, normal_func met function, reuse c ++ filt confirmation
This time know eject_func function address 0x400916,
Look normal_func disassembly functions, assembly instructions, I do not understand, look about, suspect LEN length identified as 40 , gdb debugging a look:
Main function call normal_func the next instruction is 400a19
400a14: e8 20 ff ff ff callq 400939 <_Z11normal_funcPci>
400a19: be 4b 0b 40 00 mov $0x400b4b,%esi
The offset can be calculated from the size indeed 40 ;
Modify the top of the code
#define LEN 40
#define ADDR 0x400916
Recompiled to run, run the following results
Seen, main function call after normal_func next instruction stack, after the copy to the address of the string eject_func bounds, so in normal_func not then run after running main function in the next instruction, but eject_func function, thereby achieve stack overflow attacks.