修改调用栈内保存的LR
人为地通过数组越界访问到LR 函数的数组位于局部变量区离LR很近 /************************************************ * Copyright(C) zhaixue.cc. All rights reserved * * Filename: stack-overflow.c * Author: litao.wang * E-mail: 3284757626@qq.com * Description: * Create: 2017-11-22 11:11:24 * Last Modified: 2017-11-22 11:32:37 ************************************************/ #include<stdio.h> void shellcode(void) { printf("virus run success!\n"); while(1); } void f(void) { int a[4]; int tmp; a[8] = shellcode;//数组越界改到LR tmp = a[4]; a[4] = 3; printf("a[6] = %d\n",a[6]); a[4] = tmp; } int main(void) { f(); printf("hello world!\n"); return 0; }