Buffer overflow in main

[skoda306 at yahoo.com (daniel)]

Compile, then use gdb disassemble main, it should give you everything you need.

wbyoung at u.northwestern.edu wrote: This isn't Metasploit specific, but it seems like a good place to ask:

If I have a program:

int main() {
   char buffer[64];
   gets(buffer);
   return 0;
}

On Ubuntu 7.10 using gcc with --no-stack-protector and -z execstack  
options to compile, you can overflow the buffer and change the return  
address of main, but when main completes, it does not return to the  
address you might want.

In this program, you can inject a return address and it returns to the  
address you specify:

void run() {
   char buffer[64];
   gets(buffer);
}

int main() {
   run();
   return 0;
}

I believe this has to do with the way libc returns from main, but if  
someone could explain (in as much detail as possible) or point to a  
resource that explains what is going on here, that'd be great.  Thanks!


- Whitney Young


_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework


       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080228/523e9c6d/attachment.htm>