Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

buffer overflow - basic help needed (aleph1)

From: learn lids <learnlids () yahoo com>
Date: Wed, 14 Mar 2007 15:16:07 -0700 (PDT)
hi list,

i am learning bof, and am confused with how to move
ahead, any pointers would be great. sorry if the
question is too basic, i am a learner...

1> my system:: fedora core 6, { Kernel
2.6.18-1.2798.fc6 on an x86_64 }
2> program used - example3.c from aleph1's smashing
the stack
------example3.c---------------
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 12;
}
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
--------------------------------------
3> problem i am facing -
i am trying to skip the x=1 statement so that the
printf will show x=0. i did a gdb disassembly of main
with the following result -
===========
(gdb) disassemble main
Dump of assembler code for function main:
0x00000000004004a2 <main+0>:    push   %rbp
0x00000000004004a3 <main+1>:    mov    %rsp,%rbp
0x00000000004004a6 <main+4>:    sub    $0x10,%rsp
0x00000000004004aa <main+8>:    movl  
$0x0,0xfffffffffffffffc(%rbp)
0x00000000004004b1 <main+15>:   mov    $0x3,%edx
0x00000000004004b6 <main+20>:   mov    $0x2,%esi
0x00000000004004bb <main+25>:   mov    $0x1,%edi
0x00000000004004c0 <main+30>:   callq  0x400478
<function>
0x00000000004004c5 <main+35>:   movl  
$0x1,0xfffffffffffffffc(%rbp)
0x00000000004004cc <main+42>:   mov   
0xfffffffffffffffc(%rbp),%esi
0x00000000004004cf <main+45>:   mov    $0x4005f8,%edi
0x00000000004004d4 <main+50>:   mov    $0x0,%eax
0x00000000004004d9 <main+55>:   callq  0x400398
<printf@plt>
0x00000000004004de <main+60>:   movl  
$0x9,0xfffffffffffffffc(%rbp)
0x00000000004004e5 <main+67>:   mov   
0xfffffffffffffffc(%rbp),%esi
0x00000000004004e8 <main+70>:   mov    $0x4005f8,%edi
0x00000000004004ed <main+75>:   mov    $0x0,%eax
0x00000000004004f2 <main+80>:   callq  0x400398
<printf@plt>
0x00000000004004f7 <main+85>:   leaveq
0x00000000004004f8 <main+86>:   retq
=============
i need to skip 12 bytes after the 'call function', and
hence i am incrementing *ret by 12.

when i run the prog, "1" is still displayed. where am
i going wrong?

thanks

- ll


 
____________________________________________________________________________________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
http://videogames.yahoo.com/platform?platform=120121
Previous By Date Next
Previous By Thread Next

Current thread: