Control-Flow-Redirection-Using-Libc-Lab/stack_rop.c at main · Priyabug/Control-Flow-Redirection-Using-Libc-Lab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int foo(char *str)
{
    char buffer[100];
    unsigned int *framep;

    // Copy ebp into framep
    asm("movl %%ebp, %0" : "=r" (framep));

    /* print out information for experiment purpose */
    printf("Address of buffer[]:  0x%.8x\n", (unsigned)buffer);
    printf("Frame Pointer value:  0x%.8x\n", (unsigned)framep);

    /* The following statement has a buffer overflow problem */
    strcpy(buffer, str);

    return 1;
}

// For the purpose of experiment
void bar()
{
  static int i = 0;
  printf("The function bar() is invoked %d times!\n", ++i);
}


// For the purpose of experiment
void baz(int x)
{
  printf("The value of baz()'s argument: 0x%.8X\n", x);
}

int main(int argc, char **argv)
{
   char str[2000];
   FILE *badfile;

   char *shell = (char *)getenv("MYSHELL");
   if(shell){
      printf("The '%s' string's address: 0x%.8x\n", shell,
               (unsigned int)shell);
   }

   badfile = fopen("badfile", "r");
   fread(str, sizeof(char), 2000, badfile);
   foo(str);

   printf("Returned Properly\n");
   return 1;
}