Re: Assembler/C References

[KF <dotslash () snosoft com>]

Heres your hint.
[root@localhost root]# ulimit -c 10000

[root@localhost root]# ./abo1 `perl -e 'print "A" x 270'`BC
Segmentation fault (core dumped)

[root@localhost root]# gdb -q ./abo1 core.2497
./abo1: No such file or directory.
Core was generated by `./abo1 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x43424141 in ?? ()

-KF


Jeremy Junginger wrote:

> Hey guys, 
> Thanks for all of the great feedback about assembler and c.  I was
> playing with the code at: 
> http://community.core-sdi.com/~gera/InsecureProgramming/abo1.html
> (Thanks for the link, Claes) 
> And if it is run, it produces a segmentation fault.  After running gdb
> against the program, I obtain the following data:
>
> [rewt@n00bB0x]# gdb abo1 
>
> Copyright 2001 Free Software Foundation, Inc. 
> GDB is free software, covered by the GNU General Public License, and you
> are 
> welcome to change it and/or distribute copies of it under certain
> conditions. 
> Type "show copying" to see the conditions. 
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details. 
> This GDB was configured as "i386-redhat-linux"... 
> (gdb) disass main 
> Dump of assembler code for function main: 
> 0x8048460 <main>:       push   %ebp 
> 0x8048461 <main+1>:     mov    %esp,%ebp 
> 0x8048463 <main+3>:     sub    $0x108,%esp 
> 0x8048469 <main+9>:     sub    $0x8,%esp 
> 0x804846c <main+12>:    mov    0xc(%ebp),%eax 
> 0x804846f <main+15>:    add    $0x4,%eax 
> 0x8048472 <main+18>:    pushl  (%eax) 
> 0x8048474 <main+20>:    lea    0xfffffef8(%ebp),%eax 
> 0x804847a <main+26>:    push   %eax 
> 0x804847b <main+27>:    call   0x804834c <strcpy> 
> 0x8048480 <main+32>:    add    $0x10,%esp 
> 0x8048483 <main+35>:    leave 
> 0x8048484 <main+36>:    ret 
> 0x8048485 <main+37>:    lea    0x0(%esi),%esi 
> 0x8048488 <main+40>:    nop 
> 0x8048489 <main+41>:    nop 
> 0x804848a <main+42>:    nop 
> 0x804848b <main+43>:    nop 
> 0x804848c <main+44>:    nop 
> 0x804848d <main+45>:    nop 
> 0x804848e <main+46>:    nop 
> 0x804848f <main+47>:    nop 
> End of assembler dump. 
> (gdb) quit 
>
> [rewt@n00bB0x]# 
>
> I guess I don't really know where to go from here.  I see that the
> buffer has space form 256 bytes.  Okay, so I run ./abo1 AAAAAAAA(256
> times) and it runs okay, then when I run ./abo1 with AAAA(more than
> 256X) it returns with a segmentation fault.  The part I'm not
> understanding is, after I've overflowed the buffer, how do I know where
> the next bytes will be stored?  Will they be stored at the next memory
> address (in this case 0x8048480)?  Once you know where they are stored,
> how can you append your code, do you just do a
> AAAAAA(howevermanytimesyouneedit) and then append your code to the end
> of it?  
>
> Thanks for fielding these beginner questions.  They're embarrassing to
> ask, but everyone's gotta start somewhere. 
>
> -Jeremy 
>
>
> -----Original Message-----
> From: Kim Reece [mailto:sorel () ugcs caltech edu] 
> Sent: Monday, July 15, 2002 4:53 PM
> To: Knud Erik Hxjgaard
> Cc: Jeremy Junginger; vuln-dev () securityfocus com
> Subject: Re: Assembler/C References
>
>
>
> "art of assembly"  - i forget the author name, but it's a very good book
> and a simple google search will turn it up
>
> plus just about any 'advanced' c book, i.e. one that doesn't assume you
> are incapable of understanding an if statement and need kindergarden
> style graphics to not get bored.
>
>
> --sorel