Re: Studying buffer overflows [maybe OT]

• Previous message: Guillaume Morin: "Re: Studying buffer overflows [maybe OT]"
• In reply to: darko: "Studying buffer overflows [maybe OT]"
• Next in thread: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
• Next in thread: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
• Reply: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Rafal Rajs" <rafal@safenet.pl>
To: "darko" <darko@autistici.org>, <vuln-dev@securityfocus.com>
Date: Tue, 9 Apr 2002 11:19:18 +0200

> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
> }
>
> main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
> }

hello .

I tested it on my Freebsd 4.5 (gcc version 2.95.3 20010315 (release)
[FreeBSD]).
Let's start gdb:

disassem main:
0x80484c4 <main>: push %ebp
0x80484c5 <main+1>: mov %esp,%ebp
0x80484c7 <main+3>: sub $0x18,%esp
0x80484ca <main+6>: movl $0x0,0xfffffffc(%ebp)
0x80484d1 <main+13>: call 0x80484a4 <f>

0x80484d6 <main+18>: movl $0x1,0xfffffffc(%ebp)
0x80484dd <main+25>: add $0xfffffff8,%esp
!!!! it's 7 bytes difference not 8

0x80484e0 <main+28>: mov 0xfffffffc(%ebp),%eax
0x80484e3 <main+31>: push %eax
0x80484e4 <main+32>: push $0x8048533
0x80484e9 <main+37>: call 0x8048358 <printf>
0x80484ee <main+42>: add $0x10,%esp

So try only change in function f():
  (*b) += 0x8;
to
 (*b) += 0x7;

For me it works perfect.

cheers
Rafal

• Previous message: Guillaume Morin: "Re: Studying buffer overflows [maybe OT]"
• In reply to: darko: "Studying buffer overflows [maybe OT]"
• Next in thread: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
• Next in thread: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
• Reply: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Buffer Overflow Help ... through symbols on gdb) and then run gdb. ... 0x17d1: push $0x3 ... "The only people for me are the mad ones -- the ones who are mad to ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Generating PPro instructions with CPUTYPE=i586? ... While trying to build a -CURRENT release for my aging Pentium 150 ... router box on my substantially faster Athlon XP box, ... GNU gdb 5.2.1 ... 0x80556c3: push %edi ... (freebsd-current) Re: main ... push envp ... they rely on implicit int and don't specify (void) as the parameter list. ... However it is not universally documented as being valid even for free-standing compilers that use main as the entry point, let alone those that use something else. ... However this is real engineering not language standards pedantry. ... (comp.lang.c) Re: Linked list stack and queue ... > Can someone guide me in the right direction on how to enqueue and ... > dequeue/pop and push within a linked list? ... > void display; ... (comp.lang.c) Linked list stack and queue ... Can someone guide me in the right direction on how to enqueue and ... dequeue/pop and push within a linked list? ... void display; ... (comp.lang.c)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint