Vulnerability Development mailing list archives
Re: Studying buffer overflows [maybe OT]
From: SpaceWalker <spacewalker () altern org>
Date: Tue, 9 Apr 2002 10:12:24 +0200
0x8048411 <main+13>: call 0x80483e4 <f> 0x8048416 <main+18>: movl $0x1,0xfffffffc(%ebp) <= where you would return 0x804841d <main+25>: add $0xfffffff8,%esp 0x8048420 <main+28>: mov 0xfffffffc(%ebp),%eax <- that's where you want to return 0x8048423 <main+31>: push %eax 0x8048424 <main+32>: push $0x8048490 0x8048429 <main+37>: call 0x8048300 <printf> 0x804842e <main+42>: add $0x10,%esp so a little arithmetic 28 - 18 = 10 so replace by (*b)+=10; spacewalker@darkside:~/$ ./bug 0 don't return at main+31 because %eax would be not initialised. and it doesn't work... why ? because On Mon, 8 Apr 2002 23:21:01 +0200 darko <darko () autistici org> wrote:
void f() { char a[4]; int *b; b = a + 0x8; (*b) += 0x8; } main() { int x; x = 0; f(); x = 1; printf("%d\n", x); }
Current thread:
- Studying buffer overflows [maybe OT] darko (Apr 08)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)
- Re: Studying buffer overflows [maybe OT] Larry W. Cashdollar (Apr 09)
- Re: Studying buffer overflows [maybe OT] Jason Barbour (Apr 09)
- Re: Studying buffer overflows [maybe OT] Syzop (Apr 09)
- Re: Studying buffer overflows [maybe OT] Guillaume Morin (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- Re: Studying buffer overflows [maybe OT] nocon (Apr 10)
- Re: Studying buffer overflows [maybe OT] Jan Kluka (Apr 09)
- Re: Studying buffer overflows [maybe OT] SpaceWalker (Apr 09)
- Re: Studying buffer overflows [maybe OT] Matthew Kauffman (Apr 09)
- Re: Studying buffer overflows [maybe OT] Rafal Rajs (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- <Possible follow-ups>
- Re: Studying buffer overflows [maybe OT] Nasko Oskov (Apr 09)
- Re: Studying buffer overflows [maybe OT] brien mac (Apr 10)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)