Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints
both gdb and objdump is your friend you determining where the win() function lies in memory.
Source code
#include<stdlib.h>#include<unistd.h>#include<stdio.h>#include<string.h>voidwin(){printf("code flow successfully changed\n");}intmain(int argc,char**argv){volatileint (*fp)();char buffer[64]; fp =0;gets(buffer);if(fp) {printf("calling function pointer, jumping to 0x%08x\n", fp);fp(); }}
There is a pointer fp which is set to 0. The program then jumps to the address in the fp pointer.
The win function is what we want to call. However it is not called by the main function.
Therefore we have to redirect program execution by overwriting the fp pointer.
In order to do that, we have to know the address of the win function.