Penetration Testing mailing list archives
Re: Buffer Overflow Help
From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 30 Jul 2002 17:52:11 +0100
Hey Leonard, Firstly, check this out: -----snip----- spock:/tmp# cat test.c void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 8; } void main() { int x; x=0; function(1,2,3); x=1; printf("%d\n",x); } spock:/tmp# gcc -o test test.c test.c: In function `function': test.c:5: warning: assignment from incompatible pointer type test.c: In function `main': test.c:9: warning: return type of `main' is not `int' spock:/tmp# ./test 0 ------snip------ So, the code definitely worx. About the word length query, what I know about programming is dangerous, but, as far as I remember, the word length is basically the max word length the processor can handle and thus basically denotes / relates to the instruction set. Basically, the word length is the processor word length which is one of 16,32 or 64 bit (well, there were interesting 20bit, 8bit etc etc procs, but these are the std now. Regards, Scott On 7/30/02 4:48 PM, "Leonard Leblanc" <lleblanc () emergeknowledge com> wrote:
Hello All, I am trying to experience buffer overflows first hand. I have glanced at a number of articles and have decided to focus on "Smashing the Stack for Fun and Profit" from Phrack Issue 49. I am trying out the examples from the text and when I get to example 3 (which is the first real overflow example) it doesn't quite work and I'm having a little trouble figuring it out. The following example should bypass the "x=1" statement and print the original value of "x" which is 0 (zero). Here's the code. -=-=-=-=-=-=-=-=-=-=-=-=-= void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 8; } void main() { int x; x=0; function(1,2,3); x=1; printf("%d\n",x); } -=-=-=-=-=-=-=-=-=-=-=-= When I compile and execute this code it displays one and exits. I have tryed this on RedHat 7.3 and Debian 2.2r6, both giving me the same result. Does anyone have any insight into why this wouldn't work? After looking into the assembly behind it, I think it has something to do with the "word size", but can't seem to find any information as to what the "word size" is in Debian or RedHat. Any and All comments/suggestions are more than welcome. Also if anyone knows of some other good text files/documents that talk about buffer overflows I would be happy to receive links. Leonard Leblanc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Buffer Overflow Help Leonard Leblanc (Jul 30)
- Re: Buffer Overflow Help Scott Nursten (Jul 30)
- Re: Buffer Overflow Help Erlend J. Leiknes (Jul 30)
- Re: Buffer Overflow Help jmiller (Jul 31)
- Re: Buffer Overflow Help Geoffroy Raimbault (Jul 31)
- Re: Buffer Overflow Help Rafael Coninck Teigao (Jul 31)
- Re: Buffer Overflow Help jmiller (Jul 31)
- Re: Buffer Overflow Help Rafael Coninck Teigao (Jul 31)
- Re: Buffer Overflow Help Chris Hall (Jul 31)
- <Possible follow-ups>
- Re: Buffer Overflow Help Felipe Moreno (Jul 31)