Re: understanding buffer overflows

[Ben Petering <bjp () dfmagicp org>]

secacc7 () hotmail com wrote:
> hello, my name is michael, im from austria - so my english is very bad.
>
> A few days ago i begin to experiment with bufferoverflows in linux.
>
> i wrote a little c++ programm like this:
>
> #include <string.h>
>
> void main()
> {
>   char buffer[10];
>   char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";
> strcpy((char *)buffer,(char *)COPY);
>
> }
>
> k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not 
> overwritten
>
> so i put a few lines in the program to output addresses from functions and variables.
>
> addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)
>
> i think this is maybe the problem - but why?
>
> output from gdb:
>
>  eax 0x0 0
> ecx 0x41414141 1094795585
> edx 0x1d7 471
> ebx 0xb7e27ff4 -1209892876
> esp 0x4141413d 0x4141413d
> ebp 0x41414141 0x41414141
> esi 0xb7f77ce0 -1208517408
> edi 0x0 0
> eip 0x80484ad 0x80484ad
> eflags 0x210286 [ PF SF IF RF ID ]
> cs 0x73 115
> ss 0x7b 123
> ds 0x7b 123
> es 0x7b 123
> fs 0x0 0
> gs 0x33 51 
>
>
> hope anybody can help me understand/learn.
>
> greets from austria, michael
>
>
>
>   
See above: you overwrote the saved EBP, ECX, and 3 bytes of ESP. If I
recall correctly, on stack-grows-down architectures (Intel et c. -
likely yours) the saved value of EBP occurs at a lower memory address
than the saved value of EIP (your target). The strcpy() call will copy
bytes to increasing memory addressed, so add bytes to the COPY array -
i.e. lengthen it.

Then, experiment with gdb until you've figure out what array length
overwrites the saved EIP value _exactly_. Make the last few bytes of
COPY 0x41, 0x42, 0x43, 0x44 so you can see what is landing where.

Once you can make the saved value of EIP be 0x44434241, you're ready to
roll.

Cheers
Ben