Dans un message du 08 avr à 23:21, darko écrivait :
> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
> }
>
> main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
> }
>
> I want, after the call to f(), the program jump to printf() so the
> value of x should remain 0, not 1. I always get segmentation faults,
> bus errors, etc. and never that fuc*ing "x = 0" !! Tested on a
> Celeron 433, red hat 7.2, gcc 2.96.
It depends on your compiler.
If I compile this program on an x86 box with gcc 2.95.2, I get
(using objdump -d on the binary)
80483fa: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp)
8048401: e8 ce ff ff ff call 80483d4 <f>
8048406: c7 45 fc 01 00 00 00 movl $0x1,0xfffffffc(%ebp)
804840d: 83 c4 f8 add $0xfffffff8,%esp
you want to skip 8049406, so you have to add 7 to the return value.
If I modify (*b) += 0x8; to (*b) += 7;, I get :
guillaum@cedar ~$ ./foo
0
guillaum@cedar ~$
HTH.
--
Guillaume Morin <guillaumeat_private>
Justice is lost, Justice is raped, Justice is done. (Metallica)
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 11:05:54 PDT