Can you come up with a way to get a particular method executed, without explicitly calling it? The more indirect it is, the better.
Here's what I mean, exactly (C used just for exemplification, all languages accepted):
// Call this.
void the_function(void)
{
printf("Hi there!\n");
}
int main(int argc, char** argv)
{
the_function(); // NO! Bad! This is a direct call. You can't call like this.
return 0;
}
Solutions
Jump to C, CSharp, JavaScript, PHP Solution.
You can submit your own solution in comment section in same/different programming language. If your solution is better or in different language we'll add here.
C
These example may be work with gcc compiler only. If you are new to gcc, please checkout this step-wise guide to install gcc and how to compile and run c program.
1. When compiled with GCC, the compiler replaces printf("Goodbye!\n") with puts("Goodbye!"), which is simpler and is supposed to be equivalent. I've sneakily provided my custom puts function, so that gets called instead.
#include <stdio.h>
int puts(const char *str) {
fputs("Hello, world!\n", stdout);
}
int main() {
printf("Goodbye!\n");
}
2. By overflowing buffers! This is how malware able to execute functions that aren't called in the code.
#include <stdio.h>
void the_function()
{
puts("How did I get here?");
}
int main()
{
void (*temp[1])(); // This is an array of 1 function pointer
temp[3] = &the_function; // Writing to index 3 is technically undefined behavior
}
On my system, the return address of main happens to be stored 3 words above the first local variable. By scrambling that return address with the address of another function, main "returns" to that function. If you want to reproduce this behavior on another system, you might have to tweak 3 to another value.
3. This is very direct, but is certainly not a call to hello_world, even though the function does execute.
#include <stdio.h>
#include <stdlib.h>
void hello_world() {
puts(__func__);
exit(0);
}
int main() {
goto *&hello_world;
}
CSharp
using System;
class Solution : IDisposable
{
static void Main(String[] args)
{
using (new Solution()) ;
}
public void Dispose()
{
Console.Write("I was called without calling me!");
}
}
JavaScript
<html>
<body>
<script>
window.toString = function(){
alert('Developer Insider');
return 'xyz';
};
"" + window;
</script>
</body>
</html>
PHP
<?php
function super_secret()
{
echo 'Halp i am trapped in comput0r';
}
function run()
{
preg_match_all('~\{((.*?))\}~s', file_get_contents(@reset(reset(debug_backtrace()))), $x) && eval(trim(@reset($x[1])));
}
run();
This really really doesn't call the method. The backtrace is read to find out the file currently executing, we get the contents of the file as a string, then use a regex to cut the first statement out of the super_secret() method, then eval it.