Re: Buffer Overflow Help

From: Rafael Coninck Teigao (rafaelat_private)
Date: Wed Jul 31 2002 - 02:16:45 PDT

Next message: jmiller: "Re: Buffer Overflow Help"

Previous message: many Lists..: "Sendmail 8.9.3 RELAY List"
In reply to: Leonard Leblanc: "Buffer Overflow Help"
Next in thread: Chris Hall: "Re: Buffer Overflow Help"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, Leonard.
	It works here on my OpenBSD johannes 3.1 GENERIC#59 i386. Though I don't have
a RH or Debian handy, I'll try to give you a hint as what to look for.
	Compile your code with the -g option (just to give you some help when moving
through symbols on gdb) and then run gdb <your.executable>. On gdb run the
following session:

(gdb) disassemble main
Dump of assembler code for function main:
0x17bc <main>:  push   %ebp
0x17bd <main+1>:        mov    %esp,%ebp
0x17bf <main+3>:        sub    $0x18,%esp
0x17c2 <main+6>:        call   0x1878 <__main>
0x17c7 <main+11>:       movl   $0x0,0xfffffffc(%ebp)
0x17ce <main+18>:       add    $0xfffffffc,%esp
0x17d1 <main+21>:       push   $0x3
0x17d3 <main+23>:       push   $0x2
0x17d5 <main+25>:       push   $0x1
0x17d7 <main+27>:       call   0x1798 <function>
0x17dc <main+32>:       add    $0x10,%esp
0x17df <main+35>:       movl   $0x1,0xfffffffc(%ebp)
0x17e6 <main+42>:       add    $0xfffffff8,%esp
0x17e9 <main+45>:       mov    0xfffffffc(%ebp),%eax
0x17ec <main+48>:       push   %eax
0x17ed <main+49>:       push   $0x17b6
0x17f2 <main+54>:       call   0x2084 <_DYNAMIC+132>
0x17f7 <main+59>:       add    $0x10,%esp
0x17fa <main+62>:       leave
0x17fb <main+63>:       ret
End of assembler dump.
(gdb)

Look at the line "movl   $0x1,0xfffffffc(%ebp)", that's where 1 is assigned to
x. So you want your saved IP (ret, on P49) to point exactly at this line,
since the next instruction that is going to be executed is the next from the
current (saved) IP when the function returns.
	Take a look to where the function is called (<main+27>) and where the
assignment is done (<main+35>). Doing the math: 35-27=8 :-), in this case.
Take a look at your assembler dump and see how far "x=1;" is from
"function(1,2,3);" and that's what you want to add to your "(*ret)".

	Hope this help.
	[]'s,
	Rafael Coninck Teigao
	SafeCore Network Solutions
	http://SafeCore.NET
	+55 41 224 1785
	+49 175 650 2754


------------------------------------------------------------------------
"The only people for me are the mad ones -- the ones who are mad to 
live, mad to talk, mad to be saved, desirous of everything at the same 
time, the ones who never yawn or say a commonplace thing, but burn, 
burn, burn like fabulous yellow Roman candles."
    -- Jack Kerouac, "On the Road"
------------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: jmiller: "Re: Buffer Overflow Help"
Previous message: many Lists..: "Sendmail 8.9.3 RELAY List"
In reply to: Leonard Leblanc: "Buffer Overflow Help"
Next in thread: Chris Hall: "Re: Buffer Overflow Help"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 08:17:13 PDT