I've watched a video on "Buffer overflow exploit" The guy in the video writes more byte than the array can hold e.g:
int foo(const char* cp){
char sz[10];
strcpy(sz, cp); // consider cp is a pointer to 20 characters
return x; // some valid return statement here
}
Above if foo called with an argument of 20 characters then I'm sure it Undefined Behavior. But Why he said it can be an exploit and how?
But Why he said it can be an exploit and how?
Only some examples:
By simply overwrite other memory content which has meaningful content. Maybe you have a bool variable behind your buffer structure which contains the access right flag. Overwrite the buffer may set the access flag and the code will give access which was not the idea.
Corrupting the stack is also a bad thing. Maybe your return statement runs on wrong address are more critical execute some content of the buffer.
There are lot mot such things possible which can be find with every search engine!
Simply example of a manipulated flag access:
struct Check
{
char small[4];
bool accessGranted;
};
int main()
{
Check check{ "", false };
strcpy( check.small, "12345" );
if ( check.accessGranted )
{
std::cout << "Ubs...!" << std::endl;
}
}
BTW: I found that a bit outdated but useful paper: http://www.cis.syr.edu/~wedu/Teaching/IntrCompSec/LectureNotes_New/Buffer_Overflow.pdf