Vuln Dev
Re: buffer overflow - basic help needed (aleph1) Apr 02 2007 07:09AM
warl0ck metaeye org
The problem is due to the fact that it has been a
long time since aleph1 wrote that and a lot
of changes and optimizations have come in compilers
and linkers, still it can be done.

first of all lets locate where exactly is the
saved eip.

lets build the program with debugging symbols
to make things easier.
% gcc -ggdb -o example3 example3

and then fire up gdb

%gdb -q example3
(gdb) b function
Breakpoint 1 at 0x804835a: file example3.c, line 5.
(gdb) r
Starting program: /home/warl0ck/tmp/example3
Breakpoint 1, function (a=1, b=2, c=3) at example3.c:5
5 ret = buffer + 13;
(gdb)p/x &buffer1
$1 = 0xbffe925f
(gdb)info frame
Stack level 0, frame at 0xbffe9270:
eip = 0x804835a in function (example3_1.c:5); saved eip 0x80483a6
called by frame at 0xbffe92a0
source language c.
Arglist at 0xbffe9268, args: a=1, b=2, c=3
Locals at 0xbffe9268, Previous frame's sp is 0xbffe9270
Saved registers:
ebp at 0xbffe9268, eip at 0xbffe926c
(gdb)p 0xbffe926c-0xbffe925f
The program is running. Exit anyway? (y or n)y

As you can see the distance between saved eip and
buffer1 is 13 here and not 12.

Now to skip the x=1 instruction

going as usual
(gdb)disassemble main
0x080483a1 <main+47>: call 0x8048354 <function>
0x080483a6 <main+52>: movl $0x1,0xfffffff8(%ebp)
0x080483ad <main+59>: mov 0xfffffff8(%ebp),%eax
0x080483b0 <main+62>: mov %eax,0x4(%esp)
0x080483b4 <main+66>: movl $0x80484a8,(%esp)
0x080483bb <main+73>: call 0x8048290 <printf@plt>

we return to 0x80483a6 after fucntion is called
we need to skip the instruction at 0x80483ad
and that is 7 bytes away so
will be

Now our modifies program will be
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 13;
(*ret) += 7;
void main() {
int x;
x = 0;
x = 1;
%gcc -o example3_modified example3_modified.c

Here, now its done.

warl0ck // MSG

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus