Re: Studying buffer overflows [maybe OT]

[Jan Kluka <kluka () ii fmph uniba sk>]

        Hi, darko,

~/tmp/qqq$ cat > qqq.c
void f() {
        char a[4];
        int *b;
        b =  a + 0x8;
        (*b) += 0x8;
}
main() {
        int x;
        x = 0;
        f();
        x = 1;
        printf("%d\n", x);
}
~/tmp/qqq$ gcc -c qqq.c
qqq.c: In function `f':
qqq.c:4: warning: assignment from incompatible pointer type
~/tmp/qqq$ objdump -d qqq.o

qqq.o:     file format elf32-i386

Disassembly of section .text:

00000000 <f>:
   0:   55                      push   %ebp
(...)

00000020 <main>:
  20:   55                      push   %ebp
  21:   89 e5                   mov    %esp,%ebp
  23:   83 ec 18                sub    $0x18,%esp
  26:   c7 45 fc 00 00 00 00    movl   $0x0,0xfffffffc(%ebp)
  2d:   e8 fc ff ff ff          call   2e <main+0xe>
  32:   c7 45 fc 01 00 00 00    movl   $0x1,0xfffffffc(%ebp)
(...)
        1  2  3  4  5  6  7

The movl instruction you try to skip is 7, not 8, bytes long. The fourth
line of f() should read:

        (*b) += 7;

Regards,

                                            JKl'

On Mon, Apr 08, 2002 at 11:21:01PM +0200, darko wrote:
> Hi all,
>
> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
>         char a[4];
>         int *b;
>         b =  a + 0x8;
>         (*b) += 0x8;
> }
>
> main() {
>         int x;
>         x = 0;
>         f();
>         x = 1;
>         printf("%d\n", x);
> }
>
> I want, after the call to f(), the program jump to printf() so the value of x 
> should remain 0, not 1. I always get segmentation faults, bus errors, etc. 
> and never that fuc*ing "x = 0" !!
> Tested on a Celeron 433, red hat 7.2, gcc 2.96.
>
> byez
> darko