Re: understanding buffer overflows

[Chris Eagle <cseagle () redshift com>]

Resending because this did not seem to get trough the first time.

secacc7 () hotmail com wrote:
> hope anybody can help me understand/learn.


You are probably using a newer version of gcc which is generating a
slightly different prologue/epilogue for main than you may be expecting.
 You should disassemble your program to try to understand it, you will
probably see something like this:

prologue:
 8048354:       8d 4c 24 04             lea    ecx,[esp+4]
 8048358:       83 e4 f0                and    esp,0xfffffff0
 804835b:       ff 71 fc                push   DWORD PTR [ecx-4]
 804835e:       55                      push   ebp
 804835f:       89 e5                   mov    ebp,esp
 8048361:       51                      push   ecx

<other stuff>

epilogue:
 80483d2:       83 c4 54                add    esp,0x54
 80483d5:       59                      pop    ecx
 80483d6:       5d                      pop    ebp
 80483d7:       8d 61 fc                lea    esp,[ecx-4]
 80483da:       c3                      ret

In all likelihood you did overwrite eip, but you are crashing at the ret
because you have clobbered esp (at 80483d7 in this case).  Note that you
did control ecx and ebp, thus you controlled esp as well.  With a
properly structured buffer, this is still exploitable.  Try using the
following program instead to make things a little easier:

#include <string.h>

void vuln() {
  char buffer[10];
  char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";
  strcpy((char *)buffer,(char *)COPY);
}

void main() {
   vuln();
}

FYI, it also looks like you may have stack randomization turned on.  You
 will probably want to disable any stack protections you are using if
you want to play around with stack overflows.

Chris