> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
> }
>
> main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
> }
hello .
I tested it on my Freebsd 4.5 (gcc version 2.95.3 20010315 (release)
[FreeBSD]).
Let's start gdb:
disassem main:
0x80484c4 <main>: push %ebp
0x80484c5 <main+1>: mov %esp,%ebp
0x80484c7 <main+3>: sub $0x18,%esp
0x80484ca <main+6>: movl $0x0,0xfffffffc(%ebp)
0x80484d1 <main+13>: call 0x80484a4 <f>
0x80484d6 <main+18>: movl $0x1,0xfffffffc(%ebp)
0x80484dd <main+25>: add $0xfffffff8,%esp
!!!! it's 7 bytes difference not 8
0x80484e0 <main+28>: mov 0xfffffffc(%ebp),%eax
0x80484e3 <main+31>: push %eax
0x80484e4 <main+32>: push $0x8048533
0x80484e9 <main+37>: call 0x8048358 <printf>
0x80484ee <main+42>: add $0x10,%esp
So try only change in function f():
(*b) += 0x8;
to
(*b) += 0x7;
For me it works perfect.
cheers
Rafal
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 11:10:22 PDT