Penetration Testing mailing list archives

Re: Buffer Overflow Help

From: "Rafael Coninck Teigao" <rafael () safecore net>
Date: Wed, 31 Jul 2002 06:16:45 -0300

Hi, Leonard.
        It works here on my OpenBSD johannes 3.1 GENERIC#59 i386. Though I don't have
a RH or Debian handy, I'll try to give you a hint as what to look for.
        Compile your code with the -g option (just to give you some help when moving
through symbols on gdb) and then run gdb <your.executable>. On gdb run the
following session:

(gdb) disassemble main
Dump of assembler code for function main:
0x17bc <main>:  push   %ebp
0x17bd <main+1>:        mov    %esp,%ebp
0x17bf <main+3>:        sub    $0x18,%esp
0x17c2 <main+6>:        call   0x1878 <__main>
0x17c7 <main+11>:       movl   $0x0,0xfffffffc(%ebp)
0x17ce <main+18>:       add    $0xfffffffc,%esp
0x17d1 <main+21>:       push   $0x3
0x17d3 <main+23>:       push   $0x2
0x17d5 <main+25>:       push   $0x1
0x17d7 <main+27>:       call   0x1798 <function>
0x17dc <main+32>:       add    $0x10,%esp
0x17df <main+35>:       movl   $0x1,0xfffffffc(%ebp)
0x17e6 <main+42>:       add    $0xfffffff8,%esp
0x17e9 <main+45>:       mov    0xfffffffc(%ebp),%eax
0x17ec <main+48>:       push   %eax
0x17ed <main+49>:       push   $0x17b6
0x17f2 <main+54>:       call   0x2084 <_DYNAMIC+132>
0x17f7 <main+59>:       add    $0x10,%esp
0x17fa <main+62>:       leave
0x17fb <main+63>:       ret
End of assembler dump.
(gdb)

Look at the line "movl   $0x1,0xfffffffc(%ebp)", that's where 1 is assigned to
x. So you want your saved IP (ret, on P49) to point exactly at this line,
since the next instruction that is going to be executed is the next from the
current (saved) IP when the function returns.
        Take a look to where the function is called (<main+27>) and where the
assignment is done (<main+35>). Doing the math: 35-27=8 :-), in this case.
Take a look at your assembler dump and see how far "x=1;" is from
"function(1,2,3);" and that's what you want to add to your "(*ret)".

        Hope this help.
        []'s,
        Rafael Coninck Teigao
        SafeCore Network Solutions
        http://SafeCore.NET
        +55 41 224 1785
        +49 175 650 2754


------------------------------------------------------------------------
"The only people for me are the mad ones -- the ones who are mad to 
live, mad to talk, mad to be saved, desirous of everything at the same 
time, the ones who never yawn or say a commonplace thing, but burn, 
burn, burn like fabulous yellow Roman candles."
    -- Jack Kerouac, "On the Road"
------------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Buffer Overflow Help Leonard Leblanc (Jul 30)
- Re: Buffer Overflow Help Scott Nursten (Jul 30)
- Re: Buffer Overflow Help Erlend J. Leiknes (Jul 30)
  - Re: Buffer Overflow Help jmiller (Jul 31)
    - Re: Buffer Overflow Help Geoffroy Raimbault (Jul 31)
    - Re: Buffer Overflow Help Rafael Coninck Teigao (Jul 31)
- Re: Buffer Overflow Help Rafael Coninck Teigao (Jul 31)
- Re: Buffer Overflow Help Chris Hall (Jul 31)
- <Possible follow-ups>
- Re: Buffer Overflow Help Felipe Moreno (Jul 31)