I have a pretty simple program for learning stack overflow.
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buf[128];
if(argc < 2) return 1;
strcpy(buf, argv[1]);
printf("Hello\n");
return 0;
}
The strategy is to supply large string in argv[1] to overflow buf and overwrite the return address. But which return address? i thought it is the address saved before I entered strcpy, so when we return normally from strcpy, we will execute printf.
However, after I overflow the buffer with a shell code payload to change this return address to my shellcode. I see the printf is still executed. Even if I added a few more printf, they will all be executed. Apparently, the return address I change only affects the main function return, otherwise I should not even see the printfs being executed.
Why would this happen? Isn't that when I overrun the buffer to change the return address to my shellcode, the main program will jump to my shellcode directly without executing the next printf?
printf
is never on the stack, so how could you overwrite it? – melpomenestrcpy
's stack frame because it's beforebuf
in memory. – melpomene