Re: Studying buffer overflows [maybe OT]

[Guillaume Morin <guillaume () morinfr org>]

Dans un message du 08 avr à 23:21, darko écrivait :
> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
>         char a[4];
>         int *b;
>         b =  a + 0x8;
>         (*b) += 0x8;
> }
>
> main() {
>         int x;
>         x = 0;
>         f();
>         x = 1;
>         printf("%d\n", x);
> }
>
> I want, after the call to f(), the program jump to printf() so the
> value of x should remain 0, not 1. I always get segmentation faults,
> bus errors, etc.  and never that fuc*ing "x = 0" !!  Tested on a
> Celeron 433, red hat 7.2, gcc 2.96.

It depends on your compiler.

If I compile this program on an x86 box with gcc 2.95.2, I get
(using objdump -d on the binary)

 80483fa:       c7 45 fc 00 00 00 00    movl   $0x0,0xfffffffc(%ebp)
 8048401:       e8 ce ff ff ff          call   80483d4 <f>
 8048406:       c7 45 fc 01 00 00 00    movl   $0x1,0xfffffffc(%ebp)
 804840d:       83 c4 f8                add    $0xfffffff8,%esp

you want to skip 8049406, so you have to add 7 to the return value.

If I modify (*b) += 0x8; to (*b) += 7;, I get :

guillaum@cedar ~$ ./foo
0
guillaum@cedar ~$

HTH.

-- 
Guillaume Morin <guillaume () morinfr org>

        Justice is lost, Justice is raped, Justice is done. (Metallica)