Metasploit mailing list archives

Buffer overflow in main

From: wbyoung at u.northwestern.edu (wbyoung at u.northwestern.edu)
Date: Fri, 29 Feb 2008 10:07:07 -0600

Sorry I didn't explain a little more.  I understand buffer overflows and how
they work.  I've read Aleph One's Stack Smashing paper many times.  I can
overwrite the return address of the main function properly, which I've
confirmed in gdb.  Here's the disassembly of both functions.  Some responses
to me personally said to take this off list, so if this is really off topic,
feel free to let me know.
Here's the disassembly of the two functions.

0x08048374 <main+0>: lea    0x4(%esp),%ecx
0x08048378 <main+4>: and    $0xfffffff0,%esp
0x0804837b <main+7>: pushl  0xfffffffc(%ecx)
0x0804837e <main+10>: push   %ebp
0x0804837f <main+11>: mov    %esp,%ebp
0x08048381 <main+13>: push   %ecx
0x08048382 <main+14>: sub    $0x44,%esp
0x08048385 <main+17>: lea    0xffffffbc(%ebp),%eax
0x08048388 <main+20>: mov    %eax,(%esp)
0x0804838b <main+23>: call   0x80482c4 <gets at plt>
0x08048390 <main+28>: mov    $0x0,%eax
0x08048395 <main+33>: add    $0x44,%esp
0x08048398 <main+36>: pop    %ecx
0x08048399 <main+37>: pop    %ebp
0x0804839a <main+38>: lea    0xfffffffc(%ecx),%esp
0x0804839d <main+41>: ret

0x08048374 <run+0>: push   %ebp
0x08048375 <run+1>: mov    %esp,%ebp
0x08048377 <run+3>: sub    $0x48,%esp
0x0804837a <run+6>: lea    0xffffffc0(%ebp),%eax
0x0804837d <run+9>: mov    %eax,(%esp)
0x08048380 <run+12>: call   0x80482c4 <gets at plt>
0x08048385 <run+17>: leave
0x08048386 <run+18>: ret

On Fri, Feb 29, 2008 at 6:30 AM, bambam <bambam.quiescence at googlemail.com>
wrote:

Maybe it's gcc adding calls to exit functions that call the callgate
to syscall exit, so main never returns? Don't know, haven't looked at
anything this shallow in ages.

2008/2/28  <wbyoung at u.northwestern.edu>:

This isn't Metasploit specific, but it seems like a good place to ask:

 If I have a program:

 int main() {
   char buffer[64];
   gets(buffer);
   return 0;
 }

 On Ubuntu 7.10 using gcc with --no-stack-protector and -z execstack
 options to compile, you can overflow the buffer and change the return
 address of main, but when main completes, it does not return to the
 address you might want.

 In this program, you can inject a return address and it returns to the
 address you specify:

 void run() {
   char buffer[64];
   gets(buffer);
 }

 int main() {
   run();
   return 0;
 }

 I believe this has to do with the way libc returns from main, but if
 someone could explain (in as much detail as possible) or point to a
 resource that explains what is going on here, that'd be great.  Thanks!


 - Whitney Young



_______________________________________________
 http://spool.metasploit.com/mailman/listinfo/framework

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080229/1848834f/attachment.htm>

Current thread:

Buffer overflow in main wbyoung at u.northwestern.edu (Feb 27)
- Buffer overflow in main warlord (Feb 28)
- Buffer overflow in main daniel (Feb 28)
- Message not available
  - Buffer overflow in main wbyoung at u.northwestern.edu (Feb 29)