Penetration Testing mailing list archives
Re: Buffer Overflow Help
From: "Geoffroy Raimbault" <graimbault () lynx-technologies com>
Date: Wed, 31 Jul 2002 18:34:11 +0200
In fact, you don't really modify x, but you modify the saved EIP of "function()" to jump after the piece of code that set x to 1 : "movl $0x1,0xfffffffc(%ebp)" so that you really "bypass" the "x=1" statement. Concerning the problem of Leonard, it's may be due to the size affected by gcc to the local variables when it have to make a 4-bytes alignement. Normally it should allocate 8 bytes for char buffer1[5] (you round to the next multiple of 4 bytes to have a 4-byte alignment). Sometimes, gcc doesn't round as expected. You should try this code, which allocate 8 bytes for buffer1, and so, no problems of alignment. You should also take a look at Vuln Dev, a recent discussion treated of this problem. void function(int a, int b, int c) { char buffer1[8]; // Allocate 8 bytes for buffer1 int *ret; ret = buffer1 + 12; // after that, ret points to saved EIP (*ret) += 8; // you modify saved EIP to jump the "x=1" statement } void main() { int x; x=0; function(1,2,3); x=1; printf("x= %d\n",x); } Geof ----- Original Message ----- From: "jmiller" <secadmin () subversive cc> Cc: <pen-test () securityfocus com> Sent: Wednesday, July 31, 2002 8:54 AM Subject: Re: Buffer Overflow Help
<snip>The following example should bypass the "x=1" statement and print the original value of "x" which is 0 (zero). Here's the code. -=-=-=-=-=-=-=-=-=-=-=-=-= void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 8; }i am failing to see how this should bypass anything, it is all byval, not byref. this function is isolated from your prog. bufffer1, buffer2, and ret are all dissapearing when the function is
done...
i am also failing to see how the function would affect x at all. JMillervoid main() { int x; x=0; function(1,2,3); x=1; printf("%d\n",x); } -=-=-=-=-=-=-=-=-=-=-=-= When I compile and execute this code it displays one and exits. I havetryedthis on RedHat 7.3 and Debian 2.2r6, both giving me the same result.Doesanyone have any insight into why this wouldn't work? After looking
into
theassembly behind it, I think it has something to do with the "word
size",
butcan't seem to find any information as to what the "word size" is inDebianor RedHat. Any and All comments/suggestions are more than welcome. Also if anyoneknowsof some other good text files/documents that talk about buffer
overflows
Iwould be happy to receive links. Leonard Leblanc-------------------------------------------------------------------------- --This list is provided by the SecurityFocus Security Intelligence Alert(SIA)Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities pleasesee:https://alerts.securityfocus.com/-- Public-key [ http://home.no.net/jullum/ejl.asc ]-------------------------------------------------------------------------- --This list is provided by the SecurityFocus Security Intelligence Alert(SIA)Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities pleasesee:https://alerts.securityfocus.com/--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Buffer Overflow Help Leonard Leblanc (Jul 30)
- Re: Buffer Overflow Help Scott Nursten (Jul 30)
- Re: Buffer Overflow Help Erlend J. Leiknes (Jul 30)
- Re: Buffer Overflow Help jmiller (Jul 31)
- Re: Buffer Overflow Help Geoffroy Raimbault (Jul 31)
- Re: Buffer Overflow Help Rafael Coninck Teigao (Jul 31)
- Re: Buffer Overflow Help jmiller (Jul 31)
- Re: Buffer Overflow Help Rafael Coninck Teigao (Jul 31)
- Re: Buffer Overflow Help Chris Hall (Jul 31)
- <Possible follow-ups>
- Re: Buffer Overflow Help Felipe Moreno (Jul 31)