Security Basics mailing list archives
RE: Regarding Aleph's "Smashing the Stack for fun and Profit"
From: "Bryan McAninch" <BMcAninch () PENSON COM>
Date: Tue, 4 Oct 2005 09:03:44 -0500
I recall encountering a few differences between my gdb output and the output provided in Aleph's article (perhaps even a few typos). Obviously the addresses will differ, but I can't recall the reason why the assembly code itself differs. AFAIK, compilers compile code differently on different distros; maybe someone else on the list can queue in and answer. From what you're describing, it sounds as if your return address is not correct, your 'ret' pointer is not actually pointing to the return address, or both. In Aleph's code below, the return address pushed onto the stack when calling <function> should be that of the next instruction, 0x0804836b <main+37>. The assignment of 'x=1' occurs at 0x0804836e <main+40>, which means you'll need to change the value used in <function> to change the return address to an instruction after 0x0804836e <main+40>, perhaps 0x08048375 <main+47>. If my calculations are correct, the value used in <function> should be (0x0804836b - 0x0804836e) = 8, which is what Aleph has used in his document, "*ret += 8". For your code, simply follow the same methodology as above, but first ensure 'ret = buffer1 + 12' is actually pointing to your return address on the stack. Perhaps you can include your gdb output for <function> if the following suggestions don't work. When <function> is called, the return address pushed onto the stack should be 0x80004a8 <main+24>, the assignment of 'x=1' occurs at 0x80004ab <main+27>, meaning you'll want to skip that instruction and return to the next one instead, 0x80004b2 <main+34>. Thus, your return address should be (0x80004b2 - 0x80004a8) = 10. So, try using *ret += 10 in function. Cheers, Bryan Aleph's code: 0x08048346 <main+0>: push %ebp 0x08048347 <main+1>: mov %esp,%ebp 0x08048349 <main+3>: sub $0x8,%esp 0x0804834c <main+6>: and $0xfffffff0,%esp 0x0804834f <main+9>: mov $0x0,%eax 0x08048354 <main+14>: sub %eax,%esp 0x08048356 <main+16>: movl $0x0,0xfffffffc(%ebp) 0x0804835d <main+23>: sub $0x4,%esp 0x08048360 <main+26>: push $0x3 0x08048362 <main+28>: push $0x2 0x08048364 <main+30>: push $0x1 0x08048366 <main+32>: call 0x8048328 <function> 0x0804836b <main+37>: add $0x10,%esp 0x0804836e <main+40>: movl $0x1,0xfffffffc(%ebp) 0x08048375 <main+47>: sub $0x8,%esp 0x08048378 <main+50>: pushl 0xfffffffc(%ebp) 0x0804837b <main+53>: push $0x8048438 0x08048380 <main+58>: call 0x8048268 <printf> 0x08048385 <main+63>: add $0x10,%esp 0x08048388 <main+66>: leave 0x08048389 <main+67>: ret Your code: 0x8000490 <main>: pushl %ebp 0x8000491 <main+1>: movl %esp,%ebp 0x8000493 <main+3>: subl $0x4,%esp 0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp) 0x800049d <main+13>: pushl $0x3 0x800049f <main+15>: pushl $0x2 0x80004a1 <main+17>: pushl $0x1 0x80004a3 <main+19>: call 0x8000470 <function> 0x80004a8 <main+24>: addl $0xc,%esp 0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp) 0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax 0x80004b5 <main+37>: pushl %eax 0x80004b6 <main+38>: pushl $0x80004f8 0x80004bb <main+43>: call 0x8000378 <printf> 0x80004c0 <main+48>: addl $0x8,%esp 0x80004c3 <main+51>: movl %ebp,%esp 0x80004c5 <main+53>: popl %ebp 0x80004c6 <main+54>: ret 0x80004c7 <main+55>: nop -----Original Message----- From: ra_in_2003 () yahoo com [mailto:ra_in_2003 () yahoo com] Sent: Monday, October 03, 2005 08:52 AM To: security-basics () securityfocus com Subject: Regarding Aleph's "Smashing the Stack for fun and Profit" Hi, I was trying out examples given in Aleph One's Smashing the Stack article. But somehow I am not getting the expected results. I am running RedHat Linux Kernel 2.4-20 on an Intel Piii. GCC version is 3.2.2. For instance, this example is printing "1" instead of expected "0".... void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 8; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } <-- snip --> Thanks in Advance, RA_IN
Current thread:
- Regarding Aleph's "Smashing the Stack for fun and Profit" ra_in_2003 (Oct 03)
- <Possible follow-ups>
- RE: Regarding Aleph's "Smashing the Stack for fun and Profit" Miguel Dilaj (Oct 04)
- RE: Regarding Aleph's "Smashing the Stack for fun and Profit" Bryan McAninch (Oct 04)
- RE: Regarding Aleph's "Smashing the Stack for fun and Profit" ankush.kapoor (Oct 05)