Given a very shoddy program like,
void crapFunc(String str){
buffer [500];
str_cpy(buffer, str);
return;
(sorry for crap code, I’m not too familiar with C or C++)
I learned that if you have a string that goes over the buffer limit and into the stack where the return ptr is overwritten, you can redirect the computer into going to another address that executes malicious code. This high-level approach is fine, but I’m confused when we actually do it. So lets say the string is full of x90 and the malicious code is written as a substring in the string. You overwrite the return address, and crapFunc(str) goes to the malicious code. What I don’t get is, why does the computer execute the malicious code? If it’s just a string, the computer shouldn’t recognize it as an executable. Even if the computer does recognize it, how would the malicious code still run? Just because the program now points there doesn’t mean that it should be executed.
In: 0
>why does the computer execute the malicious code?
This is why the return pointer is overwritten.
The return pointer is basically the computer’s instruction saying “Now go here and do this”
In ordinary circumstances, it would be normal function, but because you overwrote it, the “here” part is the malicious function you encoded in the string.
The computer can’t actually tell that the malicious code was originally input as a string, to the computer it’s just 1s and 0s at an address, and in this case it was instructed to treat those 1s and 0s as an instruction.
Latest Answers