At 11:21 PM 4/8/02 +0200, you wrote:
>Hi all,
>
>I've started to study buffer overflows. I wrote the following code:
>
>void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
>}
>
>main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
>}
>
>I want, after the call to f(), the program jump to printf() so the value of x
>should remain 0, not 1. I always get segmentation faults, bus errors, etc.
>and never that fuc*ing "x = 0" !!
>Tested on a Celeron 433, red hat 7.2, gcc 2.96.
>
>byez
>darko
void f()
{
char a[4];
int *b;
b = (int *) a + 2;
*b += 0x7;
}
First remember that b is an integer pointer, and if we increment it it
increments 4 bytes at a time. we know that the saved instruction pointer is
8 bytes from a on the stack, so we set b to a + 2, which because we are
treating a as an int *, moves it up 8 bytes.
Secondly we need to know the distance from our f() call in main to the
printf statement, so we can hop over the x= 1 statement.
This can be found with a debugger.
(gdb) disass main
...
0x80483e1 <main+13>: call 0x80483b4 <f>
0x80483e6 <main+18>: movl $0x1, 0xfffffffc(%ebp),%eax
0x80483ed <main+25>: mov 0xfffffffc(%ebp),%eax
...
At <main+18> we do x= 1;
the saved eip for function f normally is pointed to <main+18>, we want it
to point to <main+25>, to skip over the assignment.
The difference is 7 bytes (25-18) and so we need to increment saved eip in
f() by 7 bytes.
Really this is not a buffer overflow, it is just a program that alters its
own execution path. But learning about the stack is going to be essential
to learning buffer overflows, so it's a good excersize. For a better
tutorial, see the ubiquitous "Smashing the Stack For Fun and Profit", by
Aleph1 (http://www.phrack.com/show.php?p=49&a=14).
Good luck,
Matthew
E-business Coach, Inc.
Call (1) 877-816-8161 or http://www.e-businesscoach.com/
[Web site software and solutions to advance your market strategy.]
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 12:09:03 PDT