> > > -=-=-=-=-=-=-=-=-=-=-=-=-= > > > void function(int a, int b, int c) { > > > char buffer1[5]; > > > char buffer2[10]; > > > int *ret; > > > > > > ret = buffer1 + 12; > > > (*ret) += 8; > > > } > > i am failing to see how this should bypass anything, > it is all byval, not byref. this function is isolated from your prog. > bufffer1, buffer2, and ret are all dissapearing when the function is > done... You're right to the point that all those functions and variables are gone once the function is finished. But, if you look at the stack, you'll see that the offset for "buffer1" is 8 bytes from "SFP" (your saved frame pointer), and that is 4 bytes from "RET" (not the variable, but your saved IP). So 8+4=12. As you can see, the address of "ret" (the variable) is set to buffer1 + 12, which equals to the address of RET. Now, when you change whatever there is em "ret", you are in reality changing what is stored in RET, which means you can control the pointer to the next execution code after the function returns. If you do "(*ret) += 8", you are taking the RET stored address (a content pointing to the next code after return) and adding 8 to it. > > i am also failing to see how the function would affect x at all. Now, remember that the "x=1" assignment address was 8 bytes after the function call and that you've set the return address to be exactly this point, thus the next code to be executed is what comes next to "x=1" (since the IP points to the actual instruction and the next code the be executed is the one that comes next to it), never assigning 1 to "x" (which keeps 0 as it's value). []'s, Rafael Coninck Teigao SafeCore Network Solutions http://SafeCore.NET +55 41 224 1785 +49 175 650 2754 ------------------------------------------------------------------------ "The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles." -- Jack Kerouac, "On the Road" ------------------------------------------------------------------------ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 10:00:55 PDT