Buffer overflow in main

[warlord at nologin.org (warlord)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Even though the paper is old, it's still one of the best references out
there for buffer overflows.
Go find Aleph1's "Smashing the stack for fun and profit". It should be
easy to find with Google.

wrl

wbyoung at u.northwestern.edu wrote:
| This isn't Metasploit specific, but it seems like a good place to ask:
|
| If I have a program:
|
| int main() {
|   char buffer[64];
|   gets(buffer);
|   return 0;
| }
|
| On Ubuntu 7.10 using gcc with --no-stack-protector and -z execstack
| options to compile, you can overflow the buffer and change the return
| address of main, but when main completes, it does not return to the
| address you might want.
|
| In this program, you can inject a return address and it returns to the
| address you specify:
|
| void run() {
|   char buffer[64];
|   gets(buffer);
| }
|
| int main() {
|   run();
|   return 0;
| }
|
| I believe this has to do with the way libc returns from main, but if
| someone could explain (in as much detail as possible) or point to a
| resource that explains what is going on here, that'd be great.  Thanks!
|
|
| - Whitney Young
|
|
|
| ------------------------------------------------------------------------
|
| _______________________________________________
| http://spool.metasploit.com/mailman/listinfo/framework


- --
dreaming in digital - living in realtime - thinking in binary - talking
in IP - welcome to our world

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHxuJ59A36oltxjVQRA22sAJ9R5RNEu4c6hJRuHSPDVQLFhjwPuwCgmScj
+ACpCytrtfqgGEVVGB+ocYE=
=yKOe
-----END PGP SIGNATURE-----