...
| Code Block |
|---|
# include "Base.h"
class Attacker: public Base {
public: void run () {
// vtable is overwritten
// do malicious things here
...
}
}
class Derived: public Base { // Class violating ODR
public:
void run () {
buf_[0] = 'z'; // Looks normal, but ...
Attacker x; // Instantiate to get a vtable to inject
*((unsigned *)(buf_ =+ 12)) = *((const unsigned *)(&x)):;
}
char buf_[16]; // Buffer used to overwrite vtable
};
Derived d; // Instantiate to get malicious Derived
|
If the attacker module can be introduced into the system so that the linker chooses it in preference to the "proper" class defined in Module.cpp (which can usually be achieved by putting the attacker module before the innocuous module in the list of modules to be linked, or in the shared library path) then it is possible to corrupt the virtual function table.
Compliant Solution
The solution is to not allow more than one definition of a non-inline function or object to be admitted into a system.
...