Vulnerability Development mailing list archives
Re: Studying buffer overflows [maybe OT]
From: nocon <nocon () castleblack darkflame net>
Date: Wed, 10 Apr 2002 13:03:50 -0500
[inouk () toutatis igt net] Tue, Apr 09, 2002 at 08:56:27AM -0400 wrote:
When you don't pass parameters (ie: f(1)), you must add 4 of more in addition to pointing to the return address. (even if you have 2, 3 or more of parameters, it's alway 4) Here the code: void f() { char a[4]; int *b; b = a + 12; *b += 0x8; } void main() { int x; x = 0; f(); x = 1; printf("%d\n", x); } To know why, read the dissassembler code from gdb, the answer is in here :-) Eric
This helped me somewhat understand in calculating the return addresses in that I printed out the address' as it was changed. [nocon]$ cat code.c void f(int bla) { char a[4]; int *b; b = a + 8; printf("ret = 0x%x\n",*b); *b += 10; printf("new ret = 0x%x\n",*b); } main() { int x; x = 0; f(1); x = 1; /* we want to jump past this assignment */ printf("%d\n", x); /* should print 0 not 1 */ } [nocon]$ gcc code.c [...] [nocon]$ gdb -q ./a.out (gdb) disas main Dump of assembler code for function main: 0x80484a8 <main>: push %ebp 0x80484a9 <main+1>: mov %esp,%ebp 0x80484ab <main+3>: sub $0x8,%esp 0x80484ae <main+6>: movl $0x0,0xfffffffc(%ebp) 0x80484b5 <main+13>: sub $0xc,%esp 0x80484b8 <main+16>: push $0x1 0x80484ba <main+18>: call 0x8048460 <f> 0x80484bf <main+23>: add $0x10,%esp <---------- ( 0x80484bf: b = a + 8; ) 0x80484c2 <main+26>: movl $0x1,0xfffffffc(%ebp) 0x80484c9 <main+33>: sub $0x8,%esp <---------- ( 0x80484c9: *b += 10; ) 0x80484cc <main+36>: pushl 0xfffffffc(%ebp) 0x80484cf <main+39>: push $0x8048561 0x80484d4 <main+44>: call 0x804833c <printf> 0x80484d9 <main+49>: add $0x10,%esp 0x80484dc <main+52>: leave 0x80484dd <main+53>: ret 0x80484de <main+54>: mov %esi,%esi End of assembler dump. (gdb) quit [nocon]$ ./a.out ret = 0x80484bf new ret = 0x80484c9 0 [nocon]$ -- - noconflic ====================================== nocon () darkflame net http://nocon.darkflame.net ======================================
Current thread:
- Studying buffer overflows [maybe OT] darko (Apr 08)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)
- Re: Studying buffer overflows [maybe OT] Larry W. Cashdollar (Apr 09)
- Re: Studying buffer overflows [maybe OT] Jason Barbour (Apr 09)
- Re: Studying buffer overflows [maybe OT] Syzop (Apr 09)
- Re: Studying buffer overflows [maybe OT] Guillaume Morin (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- Re: Studying buffer overflows [maybe OT] nocon (Apr 10)
- Re: Studying buffer overflows [maybe OT] Jan Kluka (Apr 09)
- Re: Studying buffer overflows [maybe OT] SpaceWalker (Apr 09)
- Re: Studying buffer overflows [maybe OT] Matthew Kauffman (Apr 09)
- Re: Studying buffer overflows [maybe OT] Rafal Rajs (Apr 09)
- Re: Studying buffer overflows [maybe OT] Eric LeBlanc (Apr 09)
- <Possible follow-ups>
- Re: Studying buffer overflows [maybe OT] Nasko Oskov (Apr 09)
- Re: Studying buffer overflows [maybe OT] brien mac (Apr 10)
- Re: Studying buffer overflows [maybe OT] circut (Apr 09)