buffer overflow exploit change function call
I am trying to perform a buffer overflow to change the call from function A to function B. Is this do-able? I know I will have to figure out how many bytes I have to enter until I have control over the return pointer, and figure out the address of function B. Is it possible to alter it so that after "x==10" we inject function B's address instead of functionA? Edit: Is it possible that after fillbuff is called, instead of returning to main, we send it to function B? Any hints is appreciated.
int fillBuff(int x){
char buff[15];
puts("Enter your name");
gets(buff);
return(x + 5);
}
void functionA(){
puts("I dont want to be here");
exit(0);
}
void functionB(){
printf("I made it!");
exit(0);
}
int main(){
int x;
x = fillbuff(5);
if (x == 10){
functionA();
}
}
Here is an article that shows how to do it: http://insecure.org/stf/smashstack.html.
Compile your program like this: gcc -g -c program.c (with the -g)
and run gdb ./a.out. After, run the command disas main. You should see the disassemble of your code and how it is organized in your memory. You can replace the main function to any other function and see its code.
For more information about disassemble see: https://sourceware.org/gdb/onlinedocs/gdb/Machine-Code.html
Running GDB and disassembling the functions on my computer, the address of functionA() is 0x400679 and the address of functionB() is 40068a. If you see the disassemble code of main function, there is a call to the address 0x400679, and what you want is to change it to 40068a.
Basically, you have to overflow the buffer in function fillBuff and after reaching the space of the pointer, you have to fill with the address. The article shows how to do it.
- Is this declaration UB?
- Calling an external C function (in a shared lib) from Perl with Inline/C does not work
- Eclipse C/C++ how to find variable belongs to which struct quickly
- Is this truly best way to delete last element in C?
- Why do we need address virtualization in an operating system?
- Can a real floating-point type alias a complex floating-point type in C?
- Shadowing an iterator inside a for loop has undefined (?) behaviour in C
- Can a C program execute successfully if main() is defined as a macro?
- Ambiguity in scope of for loop declaration versus body
- Understanding the difference in timing of two functions that increment each element of an integer array
- Why MSVC generates warning C4127 when constant is used in "while" - C
- Executing a user-space function from the kernel space
- Why must the variable used to hold getchar's return value be declared as int?
- mpirun -np 4 ./a.out doesn't use all my cores (ubuntu 24.04LTS)
- Sleep for N seconds and wait for keypress
- Dereference twice in gdb
- Is it safe to cast a struct pointer to a different struct pointer having a prefix of elements?
- Can a C compiler legally reject a program if its call stack depth exceeds a fixed limit at compile time?
- return type defaults to 'int' [-Wimplicit-int]
- What is the scope of `fesetround()`?
- Which specific optimization flag causes libm functions to be treated as pure?
- How to render text in SDL2?
- Why would you use 'extern "C++"'?
- Strange Behavior Compiler Ignoring NULL Check Unless I Print Something in the if Statement
- Fast inverse square root using fixed point instead of floating point
- What is the const qualifier attached to in C: the memory area or the pointer?
- GCC options for strictest C code?
- How to do an explicit fall-through in C
- How do compilers treat CONST qualifier when the pointer points to a memory location obtained with malloc()?
- C: cmocka headers - how to unittest?