Home page logo
/

pen-test logo Penetration Testing mailing list archives

buffer overflow - basic help needed (aleph1)
From: learn lids <learnlids () yahoo com>
Date: Tue, 13 Mar 2007 12:39:15 -0700 (PDT)

hi list,

i am learning bof, and am confused with how to move
ahead, any help would be great.

1> my system:: fedora core 6, { Kernel
2.6.18-1.2798.fc6 on an x86_64 }
2> program used - example3.c from aleph1's smashing
the stack
------example3.c---------------
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 12;
}
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
--------------------------------------
3> problem i am facing -
i am trying to skip the x=1 statement so that the
printf will show x=0. i did a gdb disassembly of main
with the following result -
===========
(gdb) disassemble main
Dump of assembler code for function main:
0x00000000004004a2 <main+0>:    push   %rbp
0x00000000004004a3 <main+1>:    mov    %rsp,%rbp
0x00000000004004a6 <main+4>:    sub    $0x10,%rsp
0x00000000004004aa <main+8>:    movl  
$0x0,0xfffffffffffffffc(%rbp)
0x00000000004004b1 <main+15>:   mov    $0x3,%edx
0x00000000004004b6 <main+20>:   mov    $0x2,%esi
0x00000000004004bb <main+25>:   mov    $0x1,%edi
0x00000000004004c0 <main+30>:   callq  0x400478
<function>
0x00000000004004c5 <main+35>:   movl  
$0x1,0xfffffffffffffffc(%rbp)
0x00000000004004cc <main+42>:   mov   
0xfffffffffffffffc(%rbp),%esi
0x00000000004004cf <main+45>:   mov    $0x4005f8,%edi
0x00000000004004d4 <main+50>:   mov    $0x0,%eax
0x00000000004004d9 <main+55>:   callq  0x400398
<printf () plt>
0x00000000004004de <main+60>:   movl  
$0x9,0xfffffffffffffffc(%rbp)
0x00000000004004e5 <main+67>:   mov   
0xfffffffffffffffc(%rbp),%esi
0x00000000004004e8 <main+70>:   mov    $0x4005f8,%edi
0x00000000004004ed <main+75>:   mov    $0x0,%eax
0x00000000004004f2 <main+80>:   callq  0x400398
<printf () plt>
0x00000000004004f7 <main+85>:   leaveq
0x00000000004004f8 <main+86>:   retq
=============
i need to skip 12 bytes after the 'call function', and
hence i am incrementing *ret by 8.

when i run the prog, "1" is still displayed. where am
i going wrong?

thanks

- ll 


 
____________________________________________________________________________________
Food fight? Enjoy some healthy debate 
in the Yahoo! Answers Food & Drink Q&A.
http://answers.yahoo.com/dir/?link=list&sid=396545367

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • buffer overflow - basic help needed (aleph1) learn lids (Mar 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]