In fact, you don't really modify x, but you modify the saved EIP of "function()" to jump after the piece of code that set x to 1 : "movl $0x1,0xfffffffc(%ebp)" so that you really "bypass" the "x=1" statement. Concerning the problem of Leonard, it's may be due to the size affected by gcc to the local variables when it have to make a 4-bytes alignement. Normally it should allocate 8 bytes for char buffer1[5] (you round to the next multiple of 4 bytes to have a 4-byte alignment). Sometimes, gcc doesn't round as expected. You should try this code, which allocate 8 bytes for buffer1, and so, no problems of alignment. You should also take a look at Vuln Dev, a recent discussion treated of this problem. void function(int a, int b, int c) { char buffer1[8]; // Allocate 8 bytes for buffer1 int *ret; ret = buffer1 + 12; // after that, ret points to saved EIP (*ret) += 8; // you modify saved EIP to jump the "x=1" statement } void main() { int x; x=0; function(1,2,3); x=1; printf("x= %d\n",x); } Geof ----- Original Message ----- From: "jmiller" <secadminat_private> Cc: <pen-testat_private> Sent: Wednesday, July 31, 2002 8:54 AM Subject: Re: Buffer Overflow Help > <snip> > > > > The following example should bypass the "x=1" statement and print the > > > original value of "x" which is 0 (zero). Here's the code. > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-= > > > void function(int a, int b, int c) { > > > char buffer1[5]; > > > char buffer2[10]; > > > int *ret; > > > > > > ret = buffer1 + 12; > > > (*ret) += 8; > > > } > > i am failing to see how this should bypass anything, > it is all byval, not byref. this function is isolated from your prog. > bufffer1, buffer2, and ret are all dissapearing when the function is done... > > i am also failing to see how the function would affect x at all. > > JMiller > > > > > > > > void main() { > > > int x; > > > > > > x=0; > > > function(1,2,3); > > > x=1; > > > printf("%d\n",x); > > > } > > > -=-=-=-=-=-=-=-=-=-=-=-= > > > > > > When I compile and execute this code it displays one and exits. I have > tryed > > > this on RedHat 7.3 and Debian 2.2r6, both giving me the same result. > Does > > > anyone have any insight into why this wouldn't work? After looking into > the > > > assembly behind it, I think it has something to do with the "word size", > but > > > can't seem to find any information as to what the "word size" is in > Debian > > > or RedHat. > > > > > > Any and All comments/suggestions are more than welcome. Also if anyone > knows > > > of some other good text files/documents that talk about buffer overflows > I > > > would be happy to receive links. > > > > > > Leonard Leblanc > > > > > > > > > > > > > -------------------------------------------------------------------------- > -- > > > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > > > Service. For more information on SecurityFocus' SIA service which > > > automatically alerts you to the latest security vulnerabilities please > see: > > > https://alerts.securityfocus.com/ > > > > > > > > > > > > > > > -- > > > > Public-key [ http://home.no.net/jullum/ejl.asc ] > > > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > > Service. For more information on SecurityFocus' SIA service which > > automatically alerts you to the latest security vulnerabilities please > see: > > https://alerts.securityfocus.com/ > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 10:52:10 PDT