Vulnerability Development mailing list archives
Re: Studying buffer overflows [maybe OT]
From: Matthew Kauffman <matthew () e-businesscoach com>
Date: Tue, 09 Apr 2002 11:12:40 -0600
At 11:21 PM 4/8/02 +0200, you wrote:
Hi all, I've started to study buffer overflows. I wrote the following code: void f() { char a[4]; int *b; b = a + 0x8; (*b) += 0x8; } main() { int x; x = 0; f(); x = 1; printf("%d\n", x); } I want, after the call to f(), the program jump to printf() so the value of x should remain 0, not 1. I always get segmentation faults, bus errors, etc. and never that fuc*ing "x = 0" !! Tested on a Celeron 433, red hat 7.2, gcc 2.96. byez darko
void f() { char a[4]; int *b; b = (int *) a + 2; *b += 0x7; }First remember that b is an integer pointer, and if we increment it it increments 4 bytes at a time. we know that the saved instruction pointer is 8 bytes from a on the stack, so we set b to a + 2, which because we are treating a as an int *, moves it up 8 bytes.
Secondly we need to know the distance from our f() call in main to the printf statement, so we can hop over the x= 1 statement.
This can be found with a debugger. (gdb) disass main ... 0x80483e1 <main+13>: call 0x80483b4 <f> 0x80483e6 <main+18>: movl $0x1, 0xfffffffc(%ebp),%eax 0x80483ed <main+25>: mov 0xfffffffc(%ebp),%eax ... At <main+18> we do x= 1;the saved eip for function f normally is pointed to <main+18>, we want it to point to <main+25>, to skip over the assignment. The difference is 7 bytes (25-18) and so we need to increment saved eip in f() by 7 bytes.
Really this is not a buffer overflow, it is just a program that alters its own execution path. But learning about the stack is going to be essential to learning buffer overflows, so it's a good excersize. For a better tutorial, see the ubiquitous "Smashing the Stack For Fun and Profit", by Aleph1 (http://www.phrack.com/show.php?p=49&a=14).
Good luck, Matthew E-business Coach, Inc. Call (1) 877-816-8161 or http://www.e-businesscoach.com/ [Web site software and solutions to advance your market strategy.]
Current thread:
- Studying buffer overflows [maybe OT] darko (Apr 08)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)
- Re: Studying buffer overflows [maybe OT] Larry W. Cashdollar (Apr 09)
- Re: Studying buffer overflows [maybe OT] Jason Barbour (Apr 09)
- Re: Studying buffer overflows [maybe OT] Syzop (Apr 09)
- Re: Studying buffer overflows [maybe OT] Guillaume Morin (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- Re: Studying buffer overflows [maybe OT] nocon (Apr 10)
- Re: Studying buffer overflows [maybe OT] Jan Kluka (Apr 09)
- Re: Studying buffer overflows [maybe OT] SpaceWalker (Apr 09)
- Re: Studying buffer overflows [maybe OT] Matthew Kauffman (Apr 09)
- Re: Studying buffer overflows [maybe OT] Rafal Rajs (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- <Possible follow-ups>
- Re: Studying buffer overflows [maybe OT] Nasko Oskov (Apr 09)
- Re: Studying buffer overflows [maybe OT] brien mac (Apr 10)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)