Understanding and doing Code Injection in C
Question
I am a bit confused in the idea of code injection in C. If somebody could explain it and show how its done I would appreciate it.
So lets say in C you have some Char array of size 512 which is being written to the contents of a socket of length 1024, and that char array now holds some sort of code but only half of what was written.
How is the malicious code executed in a buffer overflow, I think I am confused on the process structure(stack, heap, data, text).
Answer
The general trick has to do with how the program’s code and variables are layed out in memory. For example, when a function is called the program (code inserted by the compiler) must store the address of the instruction to return to. So if this is the 32 bit word just before the beginning of the stack, one could do:
void foo()
{
int array[5];
int var = 0;
int var2 = 0;
// read in user input
printf("Enter index and value to write:");
scanf("%i", var);
scanf("%i", var2);
// malicious user might set var to -1 and var2 to an address to execute
// if say the 32-bit value before the stack variables is the instruction to
// return to
array[var] = var2
// return now goes to malicious code
}
(So your job is to construct code so that such a thing is not possible. 🙂 )
The rules for how a function call is implemented, stack variables allocated, values passed, and return values returned back is called the calling convention. I reccomend reading the attached article for a good indepth coverage of C calling conventionts.