memcpy overflow

Is it possible to overwrite the eip in the following condition when I have control over the src and the length param开发者_JAVA技巧eters?

memcpy(float* dest,float* src, int length)

I guess it should be possible to overwrite the eip(?) but is it possible to overwrite it with something meaningful?

**Sorry for not being clear. By overwriting EIP, I mean overwriting the return pointer which would be used by the EIP register after the function returns, transferring the program execution.

---

Since eip is a register, you cannot overwrite it. You can only overwrite values on the stack. A buffer overflow attack involves overwriting the return value of a function, thereby passing execution to data that can be interpreted as code which you have placed somewhere in memory.

In response to your clarification:

Yes. Since the return pointer is pushed on the stack when a function is called, you can write to this memory location. It will be found just above any allocations for variables (assuming the x86 architecture and the default calling convention). You can write a value here pointing to the very next memory location, where you should load binary data corresponding to processed assembly language instructions. Note that by doing as I have described, you have destroyed the stack and any chance of the program continuing to execute after your injected code. To do that, you must save the return address somewhere else on the stack and write a shellcode that copies it to the correct location, then executes a return.

I also assume that the dest parameter is controllable. If you can't place the data where you want it, it's useless to you

---

If by eip you mean x86's Extended Instruction Pointer, then no, not directly (if you have anything resembling a valid implementation of memcpy). This is because x86's registers are not memory mapped. You can do it indirectly by overwriting the return value that was pushed onto the stack when memcpy was called. Then when memcpy returns it would pop this bad value into eip and try to continue executing from who knows where.

As far as overwriting it with something meaningful, that depends on what you mean by "meaningful". If you mean "something that won't make the program crash (from the OS's point of view) immediately" then yes. If you assume that you overwrite it entirely with random data then statistically you have so many pages mapped into your program in a way that they are executable, and so many possible pages of memory, and can calculate a probability that the you jump to a executable page. Then you have a harder time calculating the probability that what is there can execute for very long without crashing (this is actually a form of the classic halting problem ).

---

What do you mena by "overwrite eip"?

EIP is a register, not memory. It will not be overwritten.

It may be possible for the memcpy to overwrite the instruction stream in memory pointed to by EIP. But code pages are usually not too close to data/stack/heap pages, and are often read-only too.

What is more common is that data on the heap or stack is overwritten, which subsequent instructions use as an address to load into EIP — for example, if a function pointer is overwritten and used as a callback, or if the return address is overwritten and jumped to.

(In your example, you've said that src and length are controlled, but what about dest?)