RE: Regarding Aleph's "Smashing the Stack for fun and Profit"

["Bryan McAninch" <BMcAninch () PENSON COM>]

I recall encountering a few differences between my gdb output and the
output provided in Aleph's article (perhaps even a few typos). Obviously
the addresses will differ, but I can't recall the reason why the
assembly code itself differs. AFAIK, compilers compile code differently
on different distros; maybe someone else on the list can queue in and
answer. From what you're describing, it sounds as if your return address
is not correct, your 'ret' pointer is not actually pointing to the
return address, or both. 

In Aleph's code below, the return address pushed onto the stack when
calling <function> should be that of the next instruction, 0x0804836b
<main+37>. The assignment of 'x=1' occurs at 0x0804836e <main+40>, which
means you'll need to change the value used in <function> to change the
return address to an instruction after 0x0804836e <main+40>, perhaps
0x08048375 <main+47>. If my calculations are correct, the value used in
<function> should be (0x0804836b - 0x0804836e) = 8, which is what Aleph
has used in his document, "*ret += 8".

For your code, simply follow the same methodology as above, but first
ensure 'ret = buffer1 + 12' is actually pointing to your return address
on the stack. Perhaps you can include your gdb output for <function> if
the following suggestions don't work. When <function> is called, the
return address pushed onto the stack should be 0x80004a8 <main+24>, the
assignment of 'x=1' occurs at 0x80004ab <main+27>, meaning you'll want
to skip that instruction and return to the next one instead, 0x80004b2
<main+34>. Thus, your return address should be (0x80004b2 - 0x80004a8) =
10. So, try using *ret += 10 in function. 

Cheers,
Bryan

Aleph's code:

0x08048346 <main+0>:  push %ebp
0x08048347 <main+1>:  mov %esp,%ebp
0x08048349 <main+3>:  sub $0x8,%esp
0x0804834c <main+6>:  and $0xfffffff0,%esp 
0x0804834f <main+9>:  mov $0x0,%eax
0x08048354 <main+14>: sub %eax,%esp
0x08048356 <main+16>: movl $0x0,0xfffffffc(%ebp)
0x0804835d <main+23>: sub $0x4,%esp
0x08048360 <main+26>: push $0x3
0x08048362 <main+28>: push $0x2
0x08048364 <main+30>: push $0x1
0x08048366 <main+32>: call 0x8048328 <function>
0x0804836b <main+37>: add $0x10,%esp 
0x0804836e <main+40>: movl $0x1,0xfffffffc(%ebp)
0x08048375 <main+47>: sub $0x8,%esp
0x08048378 <main+50>: pushl 0xfffffffc(%ebp)
0x0804837b <main+53>: push $0x8048438
0x08048380 <main+58>: call 0x8048268 <printf>
0x08048385 <main+63>: add $0x10,%esp
0x08048388 <main+66>: leave
0x08048389 <main+67>: ret

Your code:

0x8000490 <main>:    pushl %ebp
0x8000491 <main+1>:  movl %esp,%ebp
0x8000493 <main+3>:  subl $0x4,%esp
0x8000496 <main+6>:  movl $0x0,0xfffffffc(%ebp)
0x800049d <main+13>: pushl $0x3
0x800049f <main+15>: pushl $0x2
0x80004a1 <main+17>: pushl $0x1
0x80004a3 <main+19>: call 0x8000470 <function>
0x80004a8 <main+24>: addl $0xc,%esp
0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp)
0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax
0x80004b5 <main+37>: pushl %eax
0x80004b6 <main+38>: pushl $0x80004f8
0x80004bb <main+43>: call 0x8000378 <printf>
0x80004c0 <main+48>: addl $0x8,%esp
0x80004c3 <main+51>: movl %ebp,%esp
0x80004c5 <main+53>: popl %ebp
0x80004c6 <main+54>: ret
0x80004c7 <main+55>: nop

-----Original Message-----
From: ra_in_2003 () yahoo com [mailto:ra_in_2003 () yahoo com] 
Sent: Monday, October 03, 2005 08:52 AM
To: security-basics () securityfocus com
Subject: Regarding Aleph's "Smashing the Stack for fun and Profit"

Hi,

I was trying out examples given in Aleph One's Smashing the Stack
article. But somehow I am not getting the expected results. I am running
RedHat Linux Kernel 2.4-20 on an Intel Piii. GCC version is 3.2.2.

For instance, this example is printing "1" instead of expected "0"....

void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;

ret = buffer1 + 12;
(*ret) += 8;
}

void main() {
int x;

x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}

<-- snip -->

Thanks in Advance,
RA_IN