Penetration Testing mailing list archives
buffer overflow - basic help needed (aleph1)
From: learn lids <learnlids () yahoo com>
Date: Tue, 13 Mar 2007 12:39:15 -0700 (PDT)
hi list, i am learning bof, and am confused with how to move ahead, any help would be great. 1> my system:: fedora core 6, { Kernel 2.6.18-1.2798.fc6 on an x86_64 } 2> program used - example3.c from aleph1's smashing the stack ------example3.c--------------- void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 12; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } -------------------------------------- 3> problem i am facing - i am trying to skip the x=1 statement so that the printf will show x=0. i did a gdb disassembly of main with the following result - =========== (gdb) disassemble main Dump of assembler code for function main: 0x00000000004004a2 <main+0>: push %rbp 0x00000000004004a3 <main+1>: mov %rsp,%rbp 0x00000000004004a6 <main+4>: sub $0x10,%rsp 0x00000000004004aa <main+8>: movl $0x0,0xfffffffffffffffc(%rbp) 0x00000000004004b1 <main+15>: mov $0x3,%edx 0x00000000004004b6 <main+20>: mov $0x2,%esi 0x00000000004004bb <main+25>: mov $0x1,%edi 0x00000000004004c0 <main+30>: callq 0x400478 <function> 0x00000000004004c5 <main+35>: movl $0x1,0xfffffffffffffffc(%rbp) 0x00000000004004cc <main+42>: mov 0xfffffffffffffffc(%rbp),%esi 0x00000000004004cf <main+45>: mov $0x4005f8,%edi 0x00000000004004d4 <main+50>: mov $0x0,%eax 0x00000000004004d9 <main+55>: callq 0x400398 <printf@plt> 0x00000000004004de <main+60>: movl $0x9,0xfffffffffffffffc(%rbp) 0x00000000004004e5 <main+67>: mov 0xfffffffffffffffc(%rbp),%esi 0x00000000004004e8 <main+70>: mov $0x4005f8,%edi 0x00000000004004ed <main+75>: mov $0x0,%eax 0x00000000004004f2 <main+80>: callq 0x400398 <printf@plt> 0x00000000004004f7 <main+85>: leaveq 0x00000000004004f8 <main+86>: retq ============= i need to skip 12 bytes after the 'call function', and hence i am incrementing *ret by 8. when i run the prog, "1" is still displayed. where am i going wrong? thanks - ll ____________________________________________________________________________________ Food fight? Enjoy some healthy debate in the Yahoo! Answers Food & Drink Q&A. http://answers.yahoo.com/dir/?link=list&sid=396545367 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- buffer overflow - basic help needed (aleph1) learn lids (Mar 13)