Zeiger sind einfach genial 
#include <stdio.h>
#include <stdlib.h>
void func(int *i);
// harmless code
int main(void)
{
int i = 0;
char *buf = "pause";
printf("i: %x;%d\n",&i,i);
printf("buf: %x;%x;%s\n",buf,&buf,buf);
func(&i);
system(buf);
return EXIT_SUCCESS;
}
// not so harmless function
void func(int *i)
{
printf("i(dos): %x;%x\n",i,&i);
/* To avoid system call */
int *iptr;
iptr = (int*) (&i - 1); // Point to the return address
printf("iptr: %x;%x\n",iptr,*iptr);
*iptr += 11; // change the return address (jump over the system() command)
printf("iptr: %x;%x\n",iptr,*iptr);
/* to inject an pwn command */
char **cptr;
cptr = (char**)((char*) i - sizeof(i)); // point to buf from the main func
*cptr = "shutdown"; // point to new value
printf("cptr: %x;%x;%s\n",cptr,*cptr,*cptr);
}
1 ResponsesLeave a comment ?
Urgh, C++ >_<