Hello all.
I want to find the return address where execution should jump after returning from a function.
Say this is my code:

void foo(){
}
int main(){
 foo();
printf("After foo..");
return 0;
}

After foo() returns, how to find the rturn address where control will be passed?

Thank you....

First, this is HIGHLY dependent on your current implementation. Change anything at all, and it might break.
It also means you need to tell us exactly what you have if you ever hope of a useful answer.

Second, why do you need to know, and what are you going to use the answer for (there's probably a better way).

Alright then.
I m trying to smash the stack.
I am trying to modify the return address so that i divert the execution elsewhere.
This is my code :

#include<stdio.h>

void function() {
   char buffer1[5];
   buffer1[0] = 'Z'; 	
   char *ret = &buffer1[0];
   printf("\nbuffer1 is pointing at : %p", &buffer1); 	
   printf("\nret is pointing at address : %p and contains: %c",ret, *ret);	
   ret = buffer1 + 8;//point to where return address is stored..hope this is correct
   printf("\nret is now pointing at address: %p",ret);
  
   (*ret) += 8;//modify return address 
  	
}

int main() {
  int x;
  x = 0;
  function();
  x = 5;//we are skipping the execution of this assignment....
  printf("\nx = %d\n",x);//shud print 0
  return 0;
}

heres the op:

buffer1 is pointing at : 0xbf85bd4f
ret is pointing at address : 0xbf85bd4f and contains: Z
ret is now pointing at address: 0xbf85bd57
x = 5

You will have to know how a stack frame is implemented on your system. I don't know if it is the same for all (or most) x86 systems, but from looking at this article on wikipedia it looks like it could be this:

+==========================+-+
| locals for function()    | |
+==========================+ |
| return address           |  -->  stack frame for function()
+==========================+ |
| parameters for function  | |
+==========================+-+

I did some toying around with C, and came up with this:

#include<stdio.h>

void somefunct();
void anotherfunct();

int main(){
    
    somefunct();

    printf("returned to main!\n");

    return 0;

}

void somefunct(){

    int *ptr = (int*)&ptr + 2;
    *ptr = (int)&anotherfunct;

}

void anotherfunct(){

    printf("I win!\n\n");

}

this prints the output:

~/c/t $ ./retaddr
I win!

Segmentation Fault
~/c/t $

The segmentation fault is because the stack is set up to return to main, and then return to the system once main completes. But since the return address is bashed to returned to yet another function, that function get's main's call stack. I have no idea what this does, but I'm assuming it is bad.

I had to play with the magic number (which turned out to be 2) for a bit, but I'm not exactly sure about why 2. I could play with it more and find out just how the stack frame looks, but I'll leave that up to you.

For fun, compile my code on your machine and see if you get identical output. Try it on a windows box. The behavior of this sort of thing depends heavily on the compiler and system.

I would play with this more but it's 2AM and time to get some rest.

Your function should be like this

void function() {
   int a;
   *(&a+2)+=0x07; 	
}

Edited 6 Years Ago by arajak: n/a

Yes I know the thread is almost a year old but this seemed like an interesting questions and there was no follow up

@winrawr I ran your code in a Windows machine and it worked. No seg fault no nothing

This article has been dead for over six months. Start a new discussion instead.