I want print "Hacked!" on the terminal using the buffer overflow. In another word I want to write on the terminal a sequence of character (for example:HelloHelloHello) reaching the return address and adding the address of the function printHacked after the those character (for example: HelloHelloHello\x00\x00\x00\x00 if the address of the function is 0x000000) in order to have printed "Hacked!".
What do you mean with optimized away? It won't be in a memory of the board after the upload?
holmes4:
If you want to print the address of a function then take its address and print it.
If you want to make Serials output buffer overflow then you can't! (the code stops this).
Mark
Would you please explain me a little bit more?
I don't want to print the address, I want to write a string in the terminal con the address of the printHacked() in a way that will be called like the link that I posted before.
But, I'm also interested on how to print the address for my knolodge. How can I do it?
Ok, so if I call once at the setup the function will be on the board. I tried the attack but still doesn't work.
For example I wrote "1234567891234\x00\x00\x00\x02\x19" on the terminal and it showed me: "You said: 1234567891234\x00\x00\Hello World" but not "Hacked!"
holmes4:
What do you mean with optimized away? It won't be in a memory of the board after the upload?
It was not called so the compiler just binned it!
To get the address just use the address operator.
You can't force a call to printHacked(), and its very silly to try.
Mark
No, it's not silly and stupid, and please stop being so rude. It's for a project so I don't think the professor is silly or stupid!
Can you give me an example of how to use the address operator?
DarkCoffee:
Ok, so if I call once at the setup the function will be on the board. I tried the attack but still doesn't work.
I'm not surprised. The compiler may well "inline" the function call, and not put it where you are hoping it will go.
I don't see the point to this. You don't "hack" Arduinos in the same way you hack Windows PCs. For one thing, the program code is in flash memory and cannot be modified. This seems to me to be a pointless and (if I may say without giving offence) time-wasting exercise.
I don't want modify the program code, I just want reach the return address of the function readSerialString() and overwrite it with another address.
I counted 8+4+1 bytes (8 for buffer, 4 for smallbuffer, 1 for sb) = 13 bytes.
I wrote "1234567891234\x19\x02\x00\x00" and I the board reset itself.
Do you know a way to understand where is the return address of that function?
Do you think is impossible to do it?