Playing with the return address

Posted by Fotis on June 7, 2006

Try this



#include <stdio.h>

#include <stdlib.h>
void lala(void)

{

  printf(”Hello world!\n”);

  exit(0);

}
int main(void)

{

  asm(”movl %%eax, 4(%%ebp)” : : “a” (lala));

}

Isn’t it nice?
What we’re doing here is very simple, just overwritting the return address from main() and changing it to the address of lala(). main() then returns to lala() which calls printf. Nice, isn’t it? Btw, this only works for the x86 platform!

This entry was posted on June 7, 2006 at 5:21 pm and is filed under Programming. . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Playing with the return address”

pthreat Says:
June 8, 2006 at 12:29 pm
IIRC this is the mechanism, buffer overflow exploits are base on. Nice piece of code! Btw, I didnt know this type of asm syntax
Fotis Says:
June 8, 2006 at 11:35 pm
Yes, most buffer overflow exploits work like this. But there are other ways to exploit a bug like this, e.g. overwritting a function pointer with the address of another “interesting” function like “system”, or overwritting a pointer to the location of the argument of a function like “system” again
Aggelos Orfanakos Says:
June 9, 2006 at 11:57 am
What does asm() do? I can see the first part is:

movl %eax, 4(%ebp)

but what are the : : etc after that? Would you mind explaining what goes under the hood?
Maximus Says:
December 20, 2007 at 12:52 pm
I would like to see a continuation of the topic