It‘s sort of a variation of the return to libc attack.
The
alloca call grows the stack downward and gives me a pointer to the top
(lowest address) on the stack. It‘s right after this where the return
address will be pushed on the stack when
I call foo so that‘s where I
initialize rptr. Then in foo I just write over the return address with
foo so when foo returns it jumps back to the beginning. Each time we
return we move down the
Breakpoint 1, 0x0000000000400745 in main ()
(gdb) si
0x000000000040074a in main ()
(gdb) si
0x000000000040074e in main ()
(gdb) si
0x0000000000400753 in main ()
(gdb) si
0x0000000000400757 in main ()
(gdb) si
0x000000000040075a in main ()
(gdb) si
0x000000000040075f in main ()
(gdb) si
0x0000000000400764 in main ()
(gdb) si
0x0000000000400767 in main ()
(gdb) si
0x000000000040076b in main ()
(gdb) si
0x000000000040076e in main ()
(gdb) si
0x0000000000400771 in main ()
(gdb) si
0x0000000000400775 in main ()
(gdb) si
0x0000000000400779 in main ()
(gdb) info registers rsp
rsp 0x7fffffffd300 0x7fffffffd300
(gdb) si
0x000000000040077d in main ()
(gdb) info registers rsp
rsp 0x7fffffffd300 0x7fffffffd300
(gdb) si
0x0000000000400781 in main ()
(gdb) info registers rsp
rsp 0x7fffffffd300 0x7fffffffd300
(gdb) si
0x0000000000400788 in main ()
(gdb) info registers rsp
rsp 0x7fffffffd300 0x7fffffffd300
(gdb) si
0x000000000040070d in foo() ()
(gdb) info registers rsp
rsp 0x7fffffffd2f8 0x7fffffffd2f8
(gdb) si
0x000000000040070e in foo() ()
(gdb) info registers rsp
rsp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) si
0x0000000000400711 in foo() ()
(gdb) info registers rsp
rsp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) si
0x0000000000400717 in foo() ()
(gdb) info registers rsp
rsp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) si
0x000000000040071a in foo() ()
(gdb) info registers rsp
rsp 0x7fffffffd2f0 0x7fffffffd2f0
(gdb) si
0x0000000000400726 in foo() ()
(gdb) si
0x000000000040072d in foo() ()
(gdb) si
0x0000000000400731 in foo() ()
(gdb) si
0x0000000000400738 in foo() ()
(gdb) si
0x000000000040073f in foo() ()
(gdb) si
0x0000000000400740 in foo() ()
(gdb) si
0x000000000040070d in foo() ()
(gdb) info registers rsp
rsp 0x7fffffffd300 0x7fffffffd300
注意他说在其他人的电脑不一定work,也就是说跟编译器或者机器型号有关
下面是他本人对这个答案的解释
The alloca call grows the stack downward and gives me a pointer to the top (lowest address) on the stack. It‘s right after this where the return address will be pushed on the stack when
注意标注红色的地方RSP的变化
最后一条语句