Given a very shoddy program like,
void crapFunc(String str){
buffer [500];
str_cpy(buffer, str);
return;
(sorry for crap code, I’m not too familiar with C or C++)
I learned that if you have a string that goes over the buffer limit and into the stack where the return ptr is overwritten, you can redirect the computer into going to another address that executes malicious code. This high-level approach is fine, but I’m confused when we actually do it. So lets say the string is full of x90 and the malicious code is written as a substring in the string. You overwrite the return address, and crapFunc(str) goes to the malicious code. What I don’t get is, why does the computer execute the malicious code? If it’s just a string, the computer shouldn’t recognize it as an executable. Even if the computer does recognize it, how would the malicious code still run? Just because the program now points there doesn’t mean that it should be executed.
In: 0
>If it’s just a string, the computer shouldn’t recognize it as an executable
That’s the neat part, it doesn’t! Everything in memory — code, strings, numbers, colors, etc — are just bytes. How those bytes are used depends on what you tell the computer to do with them. The bytes “53 55 56” can be
* “SUV” when read as text,
* “push ebx; push ebp; push esi“ instructions as x86 code,
* or a 33% gray when interpreted as a color.
You could open an executable in notepad and notepad will read it as strings. Most of the strings won’t make sense, but some would. Conversely, if point the CPU to a string and say “run that”, it’ll happily try to interpret those bytes as machine code. Now *usually* the computer won’t be able to make much sense of it and the program will crash. But if you pick your strings right, you can make it jump to a point of memory where you hid away some malicious code and, well, you’re screwed.
To see just how far you can take this, some speedrunners groups have fooling around with older games to make them run any sort of code they want by placing certain on-screen items in such a way that it can be used as code. It’s wild what they can do with that. For example, the skip-to-end-credits in Super Mario World: [https://youtu.be/vAHXK2wut_I](https://youtu.be/vAHXK2wut_I). Now, I don’t expect you to understand that video, but just know that it’s f%$^#@$g disgusting.
Latest Answers