Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: buffer overflow - basic help needed (aleph1)

From: warl0ck () metaeye org
Date: 2 Apr 2007 07:09:01 -0000
The problem is due to the fact that it has been a
long time since aleph1 wrote that and a lot
of changes and optimizations have come in compilers
and linkers, still it can be done.

first of all lets locate where exactly is the
saved eip.

lets build the program with debugging symbols
to make things easier.
% gcc -ggdb -o example3 example3

and then fire up gdb

%gdb -q example3
(gdb) b function
Breakpoint 1 at 0x804835a: file example3.c, line 5.
(gdb) r
Starting program: /home/warl0ck/tmp/example3
Breakpoint 1, function (a=1, b=2, c=3) at example3.c:5
5           ret = buffer + 13;
(gdb)p/x &buffer1
$1 = 0xbffe925f
(gdb)info frame
Stack level 0, frame at 0xbffe9270:
 eip = 0x804835a in function (example3_1.c:5); saved eip 0x80483a6
 called by frame at 0xbffe92a0
 source language c.
 Arglist at 0xbffe9268, args: a=1, b=2, c=3
 Locals at 0xbffe9268, Previous frame's sp is 0xbffe9270
 Saved registers:
  ebp at 0xbffe9268, eip at 0xbffe926c
(gdb)p 0xbffe926c-0xbffe925f
13
(gdb)q
The program is running.  Exit anyway? (y or n)y

As you can see the distance between saved eip and 
buffer1 is 13 here and not 12.

Now to skip the x=1 instruction

going as usual 
(gdb)disassemble main
-----snip-----
0x080483a1 <main+47>:   call   0x8048354 <function>
0x080483a6 <main+52>:   movl   $0x1,0xfffffff8(%ebp)
0x080483ad <main+59>:   mov    0xfffffff8(%ebp),%eax
0x080483b0 <main+62>:   mov    %eax,0x4(%esp)
0x080483b4 <main+66>:   movl   $0x80484a8,(%esp)
0x080483bb <main+73>:   call   0x8048290 <printf@plt>
-----snip----

we return to 0x80483a6 after fucntion is called
we need to skip the instruction at 0x80483ad
and that is 7 bytes away so 
(*ret)+=12
will be 
(*ret)+=7

Now our modifies program will be
---example3_modified.c---------
void function(int a, int b, int c) {
    char buffer1[5];
    char buffer2[10];
    int *ret;
    ret = buffer1 + 13;
    (*ret) += 7;
}
void main() {
    int x;
    x = 0;
    function(1,2,3);
    x = 1;
    printf("%d\n",x);
}
---------------------------------
%gcc -o example3_modified example3_modified.c 
%./example3_modified
0
%

Here, now its done.

Regards,
warl0ck // MSG
http://www.metaeye.org
Previous By Date Next
Previous By Thread Next

Current thread: