compilers treat these functions as intrinsic, meaning that the compiler automati-
cally inserts their implementation into the calling function (like an inlinefunc-
tion) instead of calling the runtime library implementation. Here is the same
vulnerable launchfunction from before, except that both string-manipulation
calls have been compiled into the function.Chapter7!launch:
00401060 mov eax,[esp+0x4]
00401064 lea edx,[esp-0x64]
00401068 sub esp,0x64
0040106b sub edx,eax
0040106d lea ecx,[ecx]
00401070 mov cl,[eax]
00401072 mov [edx+eax],cl
00401075 inc eax
00401076 test cl,cl
00401078 jnz Chapter7!launch+0x10 (00401070)
0040107a push edi
0040107b lea edi,[esp+0x4]
0040107f dec edi
00401080 mov al,[edi+0x1]
00401083 inc edi
00401084 test al,al
00401086 jnz Chapter7!launch+0x20 (00401080)
00401088 mov eax,[Chapter7!'string’ (00408128)]
0040108d mov cl,[Chapter7!'string’+0x4 (0040812c)]
00401093 lea edx,[esp+0x4]
00401097 mov [edi],eax
00401099 push edx
0040109a mov [edi+0x4],cl
0040109d call Chapter7!system (00401102)
004010a2 add esp,0x4
004010a5 pop edi
004010a6 add esp,0x64
004010a9 retIt is safe to say that regardless of intrinsic string-manipulation functions,
any case where a function loops on the address of a stack-variable such as the
one obtained by the lea edx,[esp-0x64]in the preceding function is wor-
thy of further investigation.Stack Checking
There are many possible ways of dealing with buffer overflow bugs. The first
and most obvious way is of course to try to avoid them in the first place, but that
doesn’t always prove to be as simple as it seems. Sure, it would take a really care-
less developer to put something like our poor launchin a production system,250 Chapter 7