Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it possible to overwrite the eip in the following condition when I have control over the src and the length parameters?
memcpy(float* dest,float* src, int length)
I guess it should be possible to overwrite the eip(?) but is it possible to overwrite it with something meaningful?
**Sorry for not being clear. By overwriting EIP, I mean overwriting the return pointer which would be used by the EIP register after the function returns, transferring the program execution.
If by
eipyou mean x86’s Extended Instruction Pointer, then no, not directly (if you have anything resembling a valid implementation ofmemcpy). This is because x86’s registers are not memory mapped. You can do it indirectly by overwriting the return value that was pushed onto the stack when memcpy was called. Then when memcpy returns it would pop this bad value intoeipand try to continue executing from who knows where.As far as overwriting it with something meaningful, that depends on what you mean by “meaningful”. If you mean “something that won’t make the program crash (from the OS’s point of view) immediately” then yes. If you assume that you overwrite it entirely with random data then statistically you have so many pages mapped into your program in a way that they are executable, and so many possible pages of memory, and can calculate a probability that the you jump to a executable page. Then you have a harder time calculating the probability that what is there can execute for very long without crashing (this is actually a form of the classic halting problem ).