buffer overflow vulnerabilities

void f ( char * s ) {
    gets ( s );
}

int main () {
          char input [100]
          f ( input )
}

The input here isn't checked. If you enter more than 100 characters as input to this program, you can overwrite certain offsets of the stack. I'm told that you can overwrite it in such a way that the return address of gets() is overwritten to point to the beginning of input[], and you can craft the first 100 chars of input to be machine code, so then once gets() returns it executes your machine code.

The concept is pretty simple to understand, but I'm having some trouble grasping how exactly I would do that. Could a more knowledgeable person than myself help me understand how to do that?

For example, how would I craft the input to this program so that it prints "123"? Do I have to be familiar with x86 asm to be able to do this? (100 chars might not be enough, I don't know).

Thanks in advance for any help.

>>10
Won't necesarilly work since it puts strings in the data section, and may use absolute offsets. For shellcode, you'll have to take the address of the string which could be located randomly on the stack to be able to print it. A simple solution is something like this:

call @next

db '123',0

@next:
push expectedPrintfAddressInApplication ; for *nix you can use syscalls, or if you know the function is included in the application, find its address. Note that i did not use call expectedPrintfAddressInApplication, because calls are relative to location in memory of said code
ret

Another solution for this would be to overwrite the value before the stack pointer with the location of your string and the return address with printf's address, but that's less flexible.

Another tip:

Base-independent code can be made like this:

start:
call $+5
pop ebp
sub ebp,5 ; ebp now contains addr of start

push [ebp+((offset sz123)-(offset start))]
push printf
retn
sz123: db '123',0


In the event you're overflowing a string (NULL-terminated), you can just make a simple decryptor for your code and have it such that it doesn't contain nulls. This still leaves you with the problem of having nulls in offsets, this can generally be solved by adding an extra magic constant to the [ebp+((offset Data)-(offset start))+MAGIC] part, and making sure to sub ebp,MAGIC before this. In unavoidable cases such as:
call $+5 where it assembles as E8 00 00 00 05, you can instead do:

@1:
jmp short @2
pop ebp
jmp @3
...junk...
@2:
call @1
...junk...
@3:

This should make it possible to avoid having nulls in your code. Go read some papers on this if you want more advanced tips, I'm too lazy to write them up now, especially since they've all been discussed before.