Vulnerability Development mailing list archives
buffer overflow - basic help needed (aleph1)
From: learn lids <learnlids () yahoo com>
Date: Wed, 14 Mar 2007 15:16:07 -0700 (PDT)
hi list, i am learning bof, and am confused with how to move ahead, any pointers would be great. sorry if the question is too basic, i am a learner... 1> my system:: fedora core 6, { Kernel 2.6.18-1.2798.fc6 on an x86_64 } 2> program used - example3.c from aleph1's smashing the stack ------example3.c--------------- void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 12; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } -------------------------------------- 3> problem i am facing - i am trying to skip the x=1 statement so that the printf will show x=0. i did a gdb disassembly of main with the following result - =========== (gdb) disassemble main Dump of assembler code for function main: 0x00000000004004a2 <main+0>: push %rbp 0x00000000004004a3 <main+1>: mov %rsp,%rbp 0x00000000004004a6 <main+4>: sub $0x10,%rsp 0x00000000004004aa <main+8>: movl $0x0,0xfffffffffffffffc(%rbp) 0x00000000004004b1 <main+15>: mov $0x3,%edx 0x00000000004004b6 <main+20>: mov $0x2,%esi 0x00000000004004bb <main+25>: mov $0x1,%edi 0x00000000004004c0 <main+30>: callq 0x400478 <function> 0x00000000004004c5 <main+35>: movl $0x1,0xfffffffffffffffc(%rbp) 0x00000000004004cc <main+42>: mov 0xfffffffffffffffc(%rbp),%esi 0x00000000004004cf <main+45>: mov $0x4005f8,%edi 0x00000000004004d4 <main+50>: mov $0x0,%eax 0x00000000004004d9 <main+55>: callq 0x400398 <printf@plt> 0x00000000004004de <main+60>: movl $0x9,0xfffffffffffffffc(%rbp) 0x00000000004004e5 <main+67>: mov 0xfffffffffffffffc(%rbp),%esi 0x00000000004004e8 <main+70>: mov $0x4005f8,%edi 0x00000000004004ed <main+75>: mov $0x0,%eax 0x00000000004004f2 <main+80>: callq 0x400398 <printf@plt> 0x00000000004004f7 <main+85>: leaveq 0x00000000004004f8 <main+86>: retq ============= i need to skip 12 bytes after the 'call function', and hence i am incrementing *ret by 12. when i run the prog, "1" is still displayed. where am i going wrong? thanks - ll ____________________________________________________________________________________ Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121
Current thread:
- buffer overflow - basic help needed (aleph1) learn lids (Mar 15)