Hi.
I am trying to overflow an unsigned short variable in order to overwrite a save return address and point it to an address of my preference. Let's assume the address I want to point it to is 0xbfffffff (assume it exists and is a valid accessible address).
Code:
int main(int argc, char** argv) {
char *buff;
unsigned short size, i, argumentNum, randomUnusedVar;
size = 65535;
// trying to overflow
buff = alloca(size + 1);
memset(buff, '-', size+1);
// read for arguments
for (i = 1; i < argc; i++) {
// assume input can only be %c%d i.e. a0 c10 b4
argumentNum = atoi(argv[i] + 1);
// assume there is some sort of protection against out of bounds access unless overflow
if (argumentNum >= size) {
return 1;
}
// assume there is protection against writing any string
// only single characters may be written
buff[argumentNum] = argv[i][0];
}
return 0;
}
Executing the code above with arguments like a0 q10 z513 will result in characters a,q,z being written somewhere on the stack(whatever alloca() pointed buff to).
I was wondering if there is that "single character write-only protection" against writing strings, executing the program with input like buff[66357] = "0xbfffffff"; would be prevented.
However, I am unsure whether it is still impossible to overwrite the save return address in some way even if our made-up program has this protection.
P.S. I am doing this for education purposes in a local environment with disabled stack protection in the gcc compiler.