Vulnerability Development mailing list archives
Buffer Overflow Help
From: <eip () tampabay rr com>
Date: 9 Nov 2004 03:09:39 -0000
I am trying to learn how to write a basic stack buffer overflow on linux. The program that I am exploiting is: void main (int argc, char **argv[]) { char buffer[256]; if (argc <=1) { printf("You did not enter any data\n"); exit (0); } strcpy(buffer, argv[1]); printf("You Entered:%s\n", buffer); } I can overwrite EIP with 272 bytes of data. When I use gdb to find a return address I keep getting different address ranges. [root@localhost learning]# ./basic `perl -e "print 'A' x 272;"` You Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped) [root@localhost learning]# gdb ./basic core.3615 GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... warning: exec file is newer than core file. Core was generated by `./basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/tls/libc.so.6...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () (gdb) x/100 $esp - 300 0xbffff5b4: 0x421328d4 0xbffff6d8 0x080483f1 0x080484c0 0xbffff5c4: 0xbffff5d0 0x40015848 0x00000001 0x41414141 0xbffff5d4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff5e4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff5f4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff604: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff614: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff624: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff634: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff644: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff654: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff664: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff674: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff684: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff694: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff6a4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff6b4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff6c4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff6d4: 0x41414141 0x41414141 0x41414141 0x00000000 0xbffff6e4: 0xbffff724 0xbffff730 0x400154f0 0x00000002 0xbffff6f4: 0x080482e0 0x00000000 0x08048301 0x08048390 0xbffff704: 0x00000002 0xbffff724 0x080483f8 0x08048428 0xbffff714: 0x4000cc60 0xbffff71c 0x00000000 0x00000002 0xbffff724: 0xbffffab4 0xbffffabc 0x00000000 0xbffffbcd 0xbffff734: 0xbffffbec 0xbffffbf7 0xbffffc07 0xbffffc15 (gdb) q [root@localhost learning]# rm -f core.3615 [root@localhost learning]# ./basic `perl -e "print 'A' x 272;"` You Entered:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped) [root@localhost learning]# gdb ./basic core.3622 GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... warning: exec file is newer than core file. Core was generated by `./basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/tls/libc.so.6...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () (gdb) x/100 $esp - 300 0xbfffe434: 0x421328d4 0xbfffe558 0x080483f1 0x080484c0 0xbfffe444: 0xbfffe450 0x40015848 0x00000001 0x41414141 0xbfffe454: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe464: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe474: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe484: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe494: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe4a4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe4b4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe4c4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe4d4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe4e4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe4f4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe504: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe514: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe524: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe534: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe544: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe554: 0x41414141 0x41414141 0x41414141 0x00000000 0xbfffe564: 0xbfffe5a4 0xbfffe5b0 0x400154f0 0x00000002 0xbfffe574: 0x080482e0 0x00000000 0x08048301 0x08048390 0xbfffe584: 0x00000002 0xbfffe5a4 0x080483f8 0x08048428 0xbfffe594: 0x4000cc60 0xbfffe59c 0x00000000 0x00000002 0xbfffe5a4: 0xbffffab4 0xbffffabc 0x00000000 0xbffffbcd 0xbfffe5b4: 0xbffffbec 0xbffffbf7 0xbffffc07 0xbffffc15 (gdb) I am running GCC version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) on a Redhat 9 box kernel 2.4.20-31.9. Am I doing something wrong?
Current thread:
- Buffer Overflow Help eip (Nov 09)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
- Re: Buffer Overflow Help runixd (Nov 10)
- <Possible follow-ups>
- RE: Buffer Overflow Help Carlos Carvalho (Nov 10)
- Re: Buffer Overflow Help Steve Bonds (Nov 12)
- Re: Buffer Overflow Help Marco Ivaldi (Nov 12)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Steve Bonds (Nov 14)
- RE: Buffer Overflow Help Chris Eagle (Nov 15)
- Re: Buffer Overflow Help Steve Bonds (Nov 15)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)