...
Base abstract class (Base.h)
| Code Block |
|---|
|
class Base {
public:
virtual ~Base () {}
virtual void run () = 0;
|
Innocuous module (Module.cpp)
| Code Block |
|---|
|
# include "Base.h"
class Derived: public Base {
public:
Derived () {buf_[0] = 'a';}
void run () {buf_[0] = 'z';}
char buf_[1];
};
void runModule () {
Derived a, b;
Base *pa = &a, *pb = &b;
pb->run (); // Expect b.buf_[0] == 'z'
pa->run (); // Expect a.buf_[0] == 'z'
}
|
Malicious module (Attacker.cpp)
| Code Block |
|---|
|
# include "Base.h"
class Attacker: public Base {
public: void run () {
// vtable is overwritten
// do malicious things here
// ...
}
}
class Derived: public Base { // Class violating ODR
public:
void run () {
buf_[0] = 'z'; // Looks normal, but ...
Attacker x; // Instantiate to get a vtable to inject
*((unsigned *)(buf_ + 12)) = *((const unsigned *)(&x));
}
char buf_[16]; // Buffer used to overwrite vtable
};
Derived d; // Instantiate to get malicious Derived
|
...
