Is there any way to find the original buffer limit, in the case of buffer overflows

[msairam at intoto.com (M.P.Sairam)]

Can we know the size only for buf1

At 03:23 PM 5/30/2007, you wrote:
> You can often indirectly estimate it.
>
> Lets say you have in pseudo-code:
>
> function do_stuff(attacker_controlled)
> {
>   buf1[256]
>   buf2[128]
>   strcpy(buf1,attacker_controlled)
> }
>
> Then depending on your architecture, the stack will assign space for 
> buf1, followed by buf2, followed by EBP, followed by saved return 
> address (EIP). If the program has been compile with /GS support 
> you'll see a further 4 byte record for the stack canary if all went 
> as planned.
>
> So if you calculate empirically that you need 392 bytes to align 
> with EIP in this example you know you have ~384 bytes of buffer to 
> fill up, followed by the prologue, before the saved return address. 
> This is the reason why we use slightly more than a power of 2 bytes 
> when overflowing a buffer on the stack, as there are a few bytes 
> after the buffer allocations have finished (and programmers like to 
> use nice powers of 2).
>
> I don't have my TAoSSA reference in front of me, but from memory 
> that's how the stack will be laid out from the MS compiler.
>
> Rhys

Thanks,
    --
Sairam 

********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070530/786cd017/attachment.htm>