Vulnerability Development mailing list archives

Buffer Overflow Help

From: <eip () tampabay rr com>
Date: 9 Nov 2004 03:09:39 -0000


I am trying to learn how to write a basic stack buffer overflow on linux. The program that I am exploiting is:

void main (int argc, char **argv[]) {

        char buffer[256];
        if (argc <=1) {

                printf("You did not enter any data\n");
                exit (0);
        }

        strcpy(buffer, argv[1]);
        printf("You Entered:%s\n", buffer);

}

I can overwrite EIP with 272 bytes of data. When I use gdb to find a return address I keep getting different address 
ranges. 
[root@localhost learning]# ./basic `perl -e "print 'A' x 272;"`
You 
Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
[root@localhost learning]# gdb ./basic core.3615 
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...

warning: exec file is newer than core file.
Core was generated by `./basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x41414141 in ?? ()
(gdb) x/100 $esp - 300
0xbffff5b4:     0x421328d4      0xbffff6d8      0x080483f1      0x080484c0
0xbffff5c4:     0xbffff5d0      0x40015848      0x00000001      0x41414141
0xbffff5d4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff5e4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff5f4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff604:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff614:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff624:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff634:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff644:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff654:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff664:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff674:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff684:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff694:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff6a4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff6b4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff6c4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff6d4:     0x41414141      0x41414141      0x41414141      0x00000000
0xbffff6e4:     0xbffff724      0xbffff730      0x400154f0      0x00000002
0xbffff6f4:     0x080482e0      0x00000000      0x08048301      0x08048390
0xbffff704:     0x00000002      0xbffff724      0x080483f8      0x08048428
0xbffff714:     0x4000cc60      0xbffff71c      0x00000000      0x00000002
0xbffff724:     0xbffffab4      0xbffffabc      0x00000000      0xbffffbcd
0xbffff734:     0xbffffbec      0xbffffbf7      0xbffffc07      0xbffffc15
(gdb) q
[root@localhost learning]# rm -f core.3615 
[root@localhost learning]# ./basic `perl -e "print 'A' x 272;"`
You 
Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
[root@localhost learning]# gdb ./basic core.3622 
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...

warning: exec file is newer than core file.
Core was generated by `./basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x41414141 in ?? ()
(gdb) x/100 $esp - 300
0xbfffe434:     0x421328d4      0xbfffe558      0x080483f1      0x080484c0
0xbfffe444:     0xbfffe450      0x40015848      0x00000001      0x41414141
0xbfffe454:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe464:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe474:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe484:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe494:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe4a4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe4b4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe4c4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe4d4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe4e4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe4f4:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe504:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe514:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe524:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe534:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe544:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffe554:     0x41414141      0x41414141      0x41414141      0x00000000
0xbfffe564:     0xbfffe5a4      0xbfffe5b0      0x400154f0      0x00000002
0xbfffe574:     0x080482e0      0x00000000      0x08048301      0x08048390
0xbfffe584:     0x00000002      0xbfffe5a4      0x080483f8      0x08048428
0xbfffe594:     0x4000cc60      0xbfffe59c      0x00000000      0x00000002
0xbfffe5a4:     0xbffffab4      0xbffffabc      0x00000000      0xbffffbcd
0xbfffe5b4:     0xbffffbec      0xbffffbf7      0xbffffc07      0xbffffc15
(gdb) 

I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat 9 box kernel 2.4.20-31.9. Am I doing 
something wrong?
Current thread:

Buffer Overflow Help eip (Nov 09)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
  - Re: Buffer Overflow Help runixd (Nov 10)
- <Possible follow-ups>
- RE: Buffer Overflow Help Carlos Carvalho (Nov 10)
- Re: Buffer Overflow Help Steve Bonds (Nov 12)
- Re: Buffer Overflow Help Marco Ivaldi (Nov 12)
  - Re: Buffer Overflow Help sin (Nov 12)
    - Re: Buffer Overflow Help Steve Bonds (Nov 14)
    - RE: Buffer Overflow Help Chris Eagle (Nov 15)
    - Re: Buffer Overflow Help Steve Bonds (Nov 15)