Given a very shoddy program like,
void crapFunc(String str){
buffer [500];
str_cpy(buffer, str);
return;
(sorry for crap code, I’m not too familiar with C or C++)
I learned that if you have a string that goes over the buffer limit and into the stack where the return ptr is overwritten, you can redirect the computer into going to another address that executes malicious code. This high-level approach is fine, but I’m confused when we actually do it. So lets say the string is full of x90 and the malicious code is written as a substring in the string. You overwrite the return address, and crapFunc(str) goes to the malicious code. What I don’t get is, why does the computer execute the malicious code? If it’s just a string, the computer shouldn’t recognize it as an executable. Even if the computer does recognize it, how would the malicious code still run? Just because the program now points there doesn’t mean that it should be executed.
In: 0
Your memory contains data like
[buffer[0]]
[buffer[1]]
…
[buffer[499]]
[return address]
When you copy over the buffer, and then keep copying more bytes… the next bytes over-write the return address. Then, when the computer exits the function, it looks at the new return address you created, and says “ok, the next instructions will be found over <here>”, which is conveniently pointing into your malicious string. The computer then just starts reading those bytes as instructions.
Note that there’s many protections against this these days, one of which is the “no execute” bit on a memory page. This tells the CPU to fault if its instruction pointer ends up pointed to that memory.
>If it’s just a string, the computer shouldn’t recognize it as an executable.
The computer has no idea what a string is. A string is a very high level concept that a programming language constructs from many lower level constructs. The CPU sees whatever bytes the instruction pointer is pointed at as code to execute. It doesn’t care how those bytes got there.
Latest Answers