Re: Studying buffer overflows [maybe OT]

From: Nasko Oskov (oskov@uiuc.edu)
Date: 04/09/02 

Date: Tue, 9 Apr 2002 02:28:27 -0500
From: Nasko Oskov <oskov@uiuc.edu>
To: darko@autistici.org

void f() {
        char a[4];
        int *b;
        b = a + 0x8;
        (*b) += 0x8;
}

main() {
        int x;
        x = 0;
        f();
        x = 1;
        printf("%d\n", x);
}

If you take a look at the disassembly for your main function
and trace it in gdb, you will see why:

0x8048400 in f ()
(gdb)
0x8048401 in f ()
(gdb)
0x804841e in main () // goes to this addres in main
(gdb) disas main
Dump of assembler code for function main:
0x8048404 <main>: push %ebp
0x8048405 <main+1>: mov %esp,%ebp
0x8048407 <main+3>: sub $0x18,%esp
0x804840a <main+6>: movl $0x0,0xfffffffc(%ebp)
0x8048411 <main+13>: call 0x80483e4 <f>
0x8048416 <main+18>: movl $0x1,0xfffffffc(%ebp)

// and as you can see there is no such address in main

0x804841d <main+25>: add $0xfffffff8,%esp
0x8048420 <main+28>: mov 0xfffffffc(%ebp),%eax
0x8048423 <main+31>: push %eax
0x8048424 <main+32>: push $0x8048490
0x8048429 <main+37>: call 0x8048300 <printf>
0x804842e <main+42>: add $0x10,%esp
0x8048431 <main+45>: leave
0x8048432 <main+46>: ret
0x8048433 <main+47>: nop
0x8048434 <main+48>: nop

So in order to do what you want it to do, you have to
make it land on 0x804841d instead. Try it out. 

-- 
Nasko Oskov - CS Major                SIGMil CoChair
College of Engineering UIUC           CS31337 TA              
"You think your computer is secure? Think again!!!"

Relevant Pages

  • Re: Buffer Overflow Help
    ... through symbols on gdb) and then run gdb. ... 0x17d1: push $0x3 ... "The only people for me are the mad ones -- the ones who are mad to ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Generating PPro instructions with CPUTYPE=i586?
    ... While trying to build a -CURRENT release for my aging Pentium 150 ... router box on my substantially faster Athlon XP box, ... GNU gdb 5.2.1 ... 0x80556c3: push %edi ...
    (freebsd-current)
  • Re: Studying buffer overflows [maybe OT]
    ... > void f{ ... Let's start gdb: ... disassem main: ... 0x80484e3: push %eax ...
    (Vuln-Dev)
  • RE: Assembler/C References
    ... Thanks for all of the great feedback about assembler and c. ... After running gdb ... 0x8048488: nop ... are incapable of understanding an if statement and need kindergarden ...
    (Vuln-Dev)
  • Re: __tls_get_addr problem with recent current
    ... GNU gdb 6.1.1 ... Reading symbols from /lib/libgcc_s.so.1...done. ... 1: movl %ds,PCB_DS ... movq %rdx,%r11 ...
    (freebsd-current)