Vuln Dev
understanding buffer overflows Oct 31 2007 02:36PM
secacc7 hotmail com (3 replies)
Re: understanding buffer overflows Nov 05 2007 04:53PM
Chris Eagle (cseagle redshift com)
Resending because this did not seem to get trough the first time.

secacc7 (at) hotmail (dot) com [email concealed] wrote:
> hope anybody can help me understand/learn.
>

You are probably using a newer version of gcc which is generating a
slightly different prologue/epilogue for main than you may be expecting.
You should disassemble your program to try to understand it, you will
probably see something like this:

prologue:
8048354: 8d 4c 24 04 lea ecx,[esp+4]
8048358: 83 e4 f0 and esp,0xfffffff0
804835b: ff 71 fc push DWORD PTR [ecx-4]
804835e: 55 push ebp
804835f: 89 e5 mov ebp,esp
8048361: 51 push ecx

<other stuff>

epilogue:
80483d2: 83 c4 54 add esp,0x54
80483d5: 59 pop ecx
80483d6: 5d pop ebp
80483d7: 8d 61 fc lea esp,[ecx-4]
80483da: c3 ret

In all likelihood you did overwrite eip, but you are crashing at the ret
because you have clobbered esp (at 80483d7 in this case). Note that you
did control ecx and ebp, thus you controlled esp as well. With a
properly structured buffer, this is still exploitable. Try using the
following program instead to make things a little easier:

#include <string.h>

void vuln() {
char buffer[10];
char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...";
strcpy((char *)buffer,(char *)COPY);
}

void main() {
vuln();
}

FYI, it also looks like you may have stack randomization turned on. You
will probably want to disable any stack protections you are using if
you want to play around with stack overflows.

Chris

[ reply ]
Re: understanding buffer overflows Nov 03 2007 01:12PM
Ben Petering (bjp dfmagicp org)
Re: understanding buffer overflows Nov 01 2007 12:39PM
3APA3A (3APA3A SECURITY NNOV RU)


 

Privacy Statement
Copyright 2010, SecurityFocus