Vulnerability Development mailing list archives
Re: buffer overflow - basic help needed (aleph1)
From: warl0ck () metaeye org
Date: 2 Apr 2007 07:09:01 -0000
The problem is due to the fact that it has been a long time since aleph1 wrote that and a lot of changes and optimizations have come in compilers and linkers, still it can be done. first of all lets locate where exactly is the saved eip. lets build the program with debugging symbols to make things easier. % gcc -ggdb -o example3 example3 and then fire up gdb %gdb -q example3 (gdb) b function Breakpoint 1 at 0x804835a: file example3.c, line 5. (gdb) r Starting program: /home/warl0ck/tmp/example3 Breakpoint 1, function (a=1, b=2, c=3) at example3.c:5 5 ret = buffer + 13; (gdb)p/x &buffer1 $1 = 0xbffe925f (gdb)info frame Stack level 0, frame at 0xbffe9270: eip = 0x804835a in function (example3_1.c:5); saved eip 0x80483a6 called by frame at 0xbffe92a0 source language c. Arglist at 0xbffe9268, args: a=1, b=2, c=3 Locals at 0xbffe9268, Previous frame's sp is 0xbffe9270 Saved registers: ebp at 0xbffe9268, eip at 0xbffe926c (gdb)p 0xbffe926c-0xbffe925f 13 (gdb)q The program is running. Exit anyway? (y or n)y As you can see the distance between saved eip and buffer1 is 13 here and not 12. Now to skip the x=1 instruction going as usual (gdb)disassemble main -----snip----- 0x080483a1 <main+47>: call 0x8048354 <function> 0x080483a6 <main+52>: movl $0x1,0xfffffff8(%ebp) 0x080483ad <main+59>: mov 0xfffffff8(%ebp),%eax 0x080483b0 <main+62>: mov %eax,0x4(%esp) 0x080483b4 <main+66>: movl $0x80484a8,(%esp) 0x080483bb <main+73>: call 0x8048290 <printf@plt> -----snip---- we return to 0x80483a6 after fucntion is called we need to skip the instruction at 0x80483ad and that is 7 bytes away so (*ret)+=12 will be (*ret)+=7 Now our modifies program will be ---example3_modified.c--------- void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 13; (*ret) += 7; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } --------------------------------- %gcc -o example3_modified example3_modified.c %./example3_modified 0 % Here, now its done. Regards, warl0ck // MSG http://www.metaeye.org
Current thread:
- Re: buffer overflow - basic help needed (aleph1) warl0ck (Apr 03)