Vulnerability Development mailing list archives
Re: understanding buffer overflows
From: Ben Petering <bjp () dfmagicp org>
Date: Sat, 03 Nov 2007 23:42:11 +1030
secacc7 () hotmail com wrote:
hello, my name is michael, im from austria - so my english is very bad. A few days ago i begin to experiment with bufferoverflows in linux. i wrote a little c++ programm like this: #include <string.h> void main() { char buffer[10]; char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."; strcpy((char *)buffer,(char *)COPY); } k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten so i put a few lines in the program to output addresses from functions and variables. addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000) i think this is maybe the problem - but why? output from gdb: eax 0x0 0 ecx 0x41414141 1094795585 edx 0x1d7 471 ebx 0xb7e27ff4 -1209892876 esp 0x4141413d 0x4141413d ebp 0x41414141 0x41414141 esi 0xb7f77ce0 -1208517408 edi 0x0 0 eip 0x80484ad 0x80484ad eflags 0x210286 [ PF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 hope anybody can help me understand/learn. greets from austria, michael
See above: you overwrote the saved EBP, ECX, and 3 bytes of ESP. If I recall correctly, on stack-grows-down architectures (Intel et c. - likely yours) the saved value of EBP occurs at a lower memory address than the saved value of EIP (your target). The strcpy() call will copy bytes to increasing memory addressed, so add bytes to the COPY array - i.e. lengthen it. Then, experiment with gdb until you've figure out what array length overwrites the saved EIP value _exactly_. Make the last few bytes of COPY 0x41, 0x42, 0x43, 0x44 so you can see what is landing where. Once you can make the saved value of EIP be 0x44434241, you're ready to roll. Cheers Ben
Current thread:
- Re: understanding buffer overflows 3APA3A (Nov 01)
- <Possible follow-ups>
- Re: understanding buffer overflows adimitro (Nov 01)
- Re: Re: understanding buffer overflows ma (Nov 02)
- Re: Re: understanding buffer overflows secacc7 (Nov 02)
- Re: understanding buffer overflows Ben Petering (Nov 05)
- Re: understanding buffer overflows Chris Eagle (Nov 05)