Tuesday, September 18, 2007

/GS pointer subterfuge

Ok so after people complained of not having a valid code example for my previous post 'smoke & mirrors', here we go:

-- begin snip --

int main(void)
{
   meow();
   return 0;
}

void meow(void)
{
   int x;
   int *y;

   y = &x+3;
   *y = ((int )woot);

   return;
}

void woot (void)
{
   printf("owned\n");
   return;
}

-- end snip --

woot() is never called, but by pointer offset its address is used to overwrite EIP resulting in a jmp to it at the end of meow().. /GS does nothing.
Posted by at

1 comments:

anthony mckay said...

come on, what is this, 1999?
of courrrse that works, cause you aren't obliterating your stack cookies that would normally get checked. lets get busy with the year 2008 brother!

December 20, 2007 4:33 PM

Post a Comment

Subscribe to: Post Comments (Atom)