Vulnerability Development mailing list archives
Re: understanding buffer overflows
From: Chris Eagle <cseagle () redshift com>
Date: Mon, 05 Nov 2007 08:53:04 -0800
Resending because this did not seem to get trough the first time. secacc7 () hotmail com wrote:
hope anybody can help me understand/learn.
You are probably using a newer version of gcc which is generating a slightly different prologue/epilogue for main than you may be expecting. You should disassemble your program to try to understand it, you will probably see something like this: prologue: 8048354: 8d 4c 24 04 lea ecx,[esp+4] 8048358: 83 e4 f0 and esp,0xfffffff0 804835b: ff 71 fc push DWORD PTR [ecx-4] 804835e: 55 push ebp 804835f: 89 e5 mov ebp,esp 8048361: 51 push ecx <other stuff> epilogue: 80483d2: 83 c4 54 add esp,0x54 80483d5: 59 pop ecx 80483d6: 5d pop ebp 80483d7: 8d 61 fc lea esp,[ecx-4] 80483da: c3 ret In all likelihood you did overwrite eip, but you are crashing at the ret because you have clobbered esp (at 80483d7 in this case). Note that you did control ecx and ebp, thus you controlled esp as well. With a properly structured buffer, this is still exploitable. Try using the following program instead to make things a little easier: #include <string.h> void vuln() { char buffer[10]; char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."; strcpy((char *)buffer,(char *)COPY); } void main() { vuln(); } FYI, it also looks like you may have stack randomization turned on. You will probably want to disable any stack protections you are using if you want to play around with stack overflows. Chris
Current thread:
- Re: understanding buffer overflows 3APA3A (Nov 01)
- <Possible follow-ups>
- Re: understanding buffer overflows adimitro (Nov 01)
- Re: Re: understanding buffer overflows ma (Nov 02)
- Re: Re: understanding buffer overflows secacc7 (Nov 02)
- Re: understanding buffer overflows Ben Petering (Nov 05)
- Re: understanding buffer overflows Chris Eagle (Nov 05)