I found this brief piece of code that I don't really understand. Obviously there is some major concept that I am missing. I was hoping someone here could explain it a little bit. This guy stores shellcode in a char array then executes the shellcode. If you run the program it works, but I don't understand why. Here is the code:
char shellcode[] = "blahblah";
int main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
I don't really understand how that results in the shellcode being executed. Thanks in advance.
I can't tell from your title whether you still want this answered. This works by chance (and requires that the program not be built with -fomit-frame-pointer). After setting up local variables, main's stack has: return address, old ebp, and ret in that order. So (int*)&ret + 2 takes the address of ret, steps up two, and is thus pointing at the return address. Writing to ret then clobbers the return address and points it at the shellcode.