Vulnerability Development mailing list archives

Re: Studying buffer overflows [maybe OT]

From: nocon <nocon () castleblack darkflame net>
Date: Wed, 10 Apr 2002 13:03:50 -0500

[inouk () toutatis igt net] Tue, Apr 09, 2002 at 08:56:27AM -0400 wrote:


When you don't pass parameters (ie: f(1)), you must add 4 of more in
addition to pointing to the return address. (even if you have 2, 3 or more
of parameters, it's alway 4)

Here the code:

void
f()
{
  char a[4];
  int *b;

  b = a + 12;
  *b += 0x8;
}

void
main()
{
  int x;

  x = 0;
  f();

  x = 1;

  printf("%d\n", x);
}

To know why, read the dissassembler code from gdb, the answer is in here
:-)

Eric


  This helped me somewhat understand in calculating the return addresses in that
I printed out the address' as it was changed.

[nocon]$ cat code.c
void f(int bla) {
        char a[4];
        int *b;
        b =  a + 8;
   printf("ret =  0x%x\n",*b);
        *b += 10;
  printf("new ret = 0x%x\n",*b);
}

main() {
        int x;
        x = 0;
        f(1);
        x = 1;              /* we want to jump past this assignment */
        printf("%d\n", x);  /* should print 0 not 1 */
}

[nocon]$ gcc code.c
[...]

[nocon]$ gdb -q ./a.out
(gdb) disas main
Dump of assembler code for function main:
0x80484a8 <main>:       push   %ebp
0x80484a9 <main+1>:     mov    %esp,%ebp
0x80484ab <main+3>:     sub    $0x8,%esp
0x80484ae <main+6>:     movl   $0x0,0xfffffffc(%ebp)
0x80484b5 <main+13>:    sub    $0xc,%esp
0x80484b8 <main+16>:    push   $0x1
0x80484ba <main+18>:    call   0x8048460 <f>
0x80484bf <main+23>:    add    $0x10,%esp          <---------- ( 0x80484bf: b =  a + 8; )
0x80484c2 <main+26>:    movl   $0x1,0xfffffffc(%ebp)
0x80484c9 <main+33>:    sub    $0x8,%esp           <---------- ( 0x80484c9: *b += 10; )
0x80484cc <main+36>:    pushl  0xfffffffc(%ebp)
0x80484cf <main+39>:    push   $0x8048561
0x80484d4 <main+44>:    call   0x804833c <printf>
0x80484d9 <main+49>:    add    $0x10,%esp
0x80484dc <main+52>:    leave
0x80484dd <main+53>:    ret
0x80484de <main+54>:    mov    %esi,%esi
End of assembler dump.
(gdb) quit

[nocon]$ ./a.out
ret =  0x80484bf
new ret = 0x80484c9
0
[nocon]$

-- 
- noconflic

======================================

nocon () darkflame net
http://nocon.darkflame.net

======================================

Current thread:

Studying buffer overflows [maybe OT] darko (Apr 08)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)
  - Re: Studying buffer overflows [maybe OT] Larry W. Cashdollar (Apr 09)
  - Re: Studying buffer overflows [maybe OT] Jason Barbour (Apr 09)
- Re: Studying buffer overflows [maybe OT] Syzop (Apr 09)
- Re: Studying buffer overflows [maybe OT] Guillaume Morin (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
  - Re: Studying buffer overflows [maybe OT] nocon (Apr 10)
- Re: Studying buffer overflows [maybe OT] Jan Kluka (Apr 09)
- Re: Studying buffer overflows [maybe OT] SpaceWalker (Apr 09)
- Re: Studying buffer overflows [maybe OT] Matthew Kauffman (Apr 09)
- Re: Studying buffer overflows [maybe OT] Rafal Rajs (Apr 09)
  - Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- <Possible follow-ups>
- Re: Studying buffer overflows [maybe OT] Nasko Oskov (Apr 09)
- Re: Studying buffer overflows [maybe OT] brien mac (Apr 10)