2

I am trying to overwrite a char and a function pointer on the stack. Based on what I found on this question (How can I store a value at a specific location in the memory?) I was able to figure out how to overwrite the character. My problem now is that I get a compile error saying I am casting it wrong.

void foo(char letter);
void bar(char letter);

void function1()
{
  void (*pointer)(char);
  pointer = foo;
  letter = 'B';
  function2();
  (*pointer)(letter);
}

void function2()
{
  int number; // Used in omitted code

  *(char *)(&number + 75) = 'A';
  *(void (*)(char)) (&number + 42) = &bar; // This is the line with the error
}

The first injection works but the second one gives me a compile error.

I am running Redhat Linux using a g++ compiler. The error I get from the compiler is:
"cannot convert ‘void (*)(char)’ to ‘void(char)’ in assignment"

If I change that line to *(void(char)) then the compiler says:
"invalid cast to function type ‘void(char)’"

What is the proper syntax for this?

(This is modified code from a school security assignment, I'm not writing malware)

Community
  • 1
  • 1
Schuyler
  • 509
  • 1
  • 9
  • 19
  • If you want to write the address of `pass` to a location in memory, don't try to cast a memory address to a function pointer. Cast your function pointer to a memory address. – Red Alert Feb 07 '15 at 03:35
  • It would be good to post the exact output of the compiler and indicate clearly which line the error happens on. Also, since you are trying to do tricky stuff and might be running into compiler optimization issues, you should say exactly what compiler you are using, what command you used to compile, and the operating system you are running. – David Grayson Feb 07 '15 at 03:36
  • so you are trying to write malware, and come to SO for help? – Ryan Feb 07 '15 at 03:42
  • @RedAlert How would I do that? – Schuyler Feb 07 '15 at 03:43
  • @self, are you trolling? This is a very common Computer Science topic, for Security courses. – Hanlet Escaño May 26 '15 at 07:44

1 Answers1

1

Your goal is to write the address of pass to memory, so why are you casting (&number + 13) to a function pointer? Just do what you did before:

*(long *)(&number + 13) = (long)&pass;

And you won't get a compiler error. As to what will happen when this undefined behavior is invoked, you'll just have to see.

Edit: As @DavidGrayson pointed out, if we deference the right side of the equation, we'd get the contents of the function, not its pointer. So we have to cast it to a POD type, not a pointer.

Red Alert
  • 3,786
  • 2
  • 17
  • 24