What happens in this code? (Executing a char buffer)

Question

Could somebody give me a complete explanation of what is happening in this second line of code?

I know that the address of the buffer containing the shellcode is casted to a function pointer which is executed. But I´m a little confused with all the braces and steps involved, so I need a little bit more detailed explanation.

unsigned char buf[] = "\x90\x90\x90\x90\x90\x90\x90\x90";

((void(*)())buf)();

I tried to explain it to myself this way:

buf                     //address of the buffer containing code
void(*)()               //"type" function pointer returning void, no parameters
(void(*)()) buf         //cast buf to said type
( (void(*)()) buf )()   //take the outcome of the cast and execute it by appending ()

Is this correct?

Edit: I am aware that DEP would block the execution and that even if it would execute, the program would crash because it would execute "random garbage" after the NOPs. My question is just about the syntax of the function call.

Answer 1

1. Cast buf (array name converted to a pointer) to a void(*)() function pointer

   (void(*)())buf
   

2. Call that function through the pointer

   (function_pointer)();
   

Notice that this is just wrong because of operator precedence rules

(void(*)()) buf() // Function call has a higher precedence over type cast

so another pair of parenthesis is necessary.

Eventually execute it (if DEP permits it, this is system-dependent) and (if x86) Nop-Nop-Nop,etc...

You're thus correct.

As a sidenote: the NOP code will crash your app as well: there's no return statement and IP won't be restored when that payload finishes.