Re: Studying buffer overflows [maybe OT]

[Nasko Oskov <oskov () uiuc edu>]

void f() {
        char a[4];
        int *b;
        b =  a + 0x8;
        (*b) += 0x8;
}

main() {
        int x;
        x = 0;
        f();
        x = 1;
        printf("%d\n", x);
} 

If you take a look at the disassembly for your main function
and trace it in gdb, you will see why:

0x8048400 in f ()
(gdb)
0x8048401 in f ()
(gdb)
0x804841e in main ()            // goes to this addres in main
(gdb) disas main
Dump of assembler code for function main:
0x8048404 <main>:       push   %ebp
0x8048405 <main+1>:     mov    %esp,%ebp
0x8048407 <main+3>:     sub    $0x18,%esp
0x804840a <main+6>:     movl   $0x0,0xfffffffc(%ebp)
0x8048411 <main+13>:    call   0x80483e4 <f>
0x8048416 <main+18>:    movl   $0x1,0xfffffffc(%ebp)

// and as you can see there is no such address in main

0x804841d <main+25>:    add    $0xfffffff8,%esp
0x8048420 <main+28>:    mov    0xfffffffc(%ebp),%eax
0x8048423 <main+31>:    push   %eax
0x8048424 <main+32>:    push   $0x8048490
0x8048429 <main+37>:    call   0x8048300 <printf>
0x804842e <main+42>:    add    $0x10,%esp
0x8048431 <main+45>:    leave
0x8048432 <main+46>:    ret
0x8048433 <main+47>:    nop
0x8048434 <main+48>:    nop

So in order to do what you want it to do, you have to
make it land on 0x804841d instead. Try it out.

-- 
Nasko Oskov - CS Major                SIGMil CoChair
College of Engineering UIUC           CS31337 TA              
"You think your computer is secure? Think again!!!"

Attachment: _bin
Description: