Re: Studying buffer overflows [maybe OT]

From: SpaceWalker (spacewalkerat_private)
Date: Tue Apr 09 2002 - 01:12:24 PDT

Next message: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"

Previous message: Jan Kluka: "Re: Studying buffer overflows [maybe OT]"
In reply to: darko: "Studying buffer overflows [maybe OT]"
Next in thread: Matthew Kauffman: "Re: Studying buffer overflows [maybe OT]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

0x8048411 <main+13>:    call   0x80483e4 <f>
0x8048416 <main+18>:    movl   $0x1,0xfffffffc(%ebp) <= where you would return
0x804841d <main+25>:    add    $0xfffffff8,%esp
0x8048420 <main+28>:    mov    0xfffffffc(%ebp),%eax <- that's where you want
to return
0x8048423 <main+31>:    push   %eax		
0x8048424 <main+32>:    push   $0x8048490
0x8048429 <main+37>:    call   0x8048300 <printf>
0x804842e <main+42>:    add    $0x10,%esp
so a little arithmetic 28 - 18 = 10
so replace by (*b)+=10;

spacewalker@darkside:~/$ ./bug
0

don't return at main+31 because %eax would be not initialised.

and it doesn't work... why ? because 
On Mon, 8 Apr 2002 23:21:01 +0200
darko <darkoat_private> wrote:

> 
> void f() {
>         char a[4];
>         int *b;
>         b =  a + 0x8;
>         (*b) += 0x8;
> }
> 
> main() {
>         int x;
>         x = 0;
>         f();
>         x = 1;
>         printf("%d\n", x);
> }

Next message: Eric LeBlanc: "Re: Studying buffer overflows [maybe OT]"
Previous message: Jan Kluka: "Re: Studying buffer overflows [maybe OT]"
In reply to: darko: "Studying buffer overflows [maybe OT]"
Next in thread: Matthew Kauffman: "Re: Studying buffer overflows [maybe OT]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 11:22:33 PDT