Modifying return values

[chris]

I was reading the article "Smashing the Stack for Fun and Profit" from Phrack 49 and was trying to get one buffer overflow example gave to work.

Code: Select all

void function(void) {
   char buffer1[5];
   char buffer2[10];
   int *ret;

   ret = buffer1 + 12;
   (*ret) += 8;
}

int main(void) {
  int x;

  x = 0;
  function();
  x = 1;
  printf("%d\n",x);
}

Code: Select all

(gdb) disassemble main
Dump of assembler code for function main:
0x8048504 <main>:       push   %ebp
0x8048505 <main+1>:     mov    %esp,%ebp
0x8048507 <main+3>:     sub    $0x8,%esp
0x804850a <main+6>:     and    $0xfffffff0,%esp
0x804850d <main+9>:     mov    $0x0,%eax
0x8048512 <main+14>:    sub    %eax,%esp
0x8048514 <main+16>:    movl   $0x0,0xfffffffc(%ebp)
0x804851b <main+23>:    call   0x80484e4 <function>
0x8048520 <main+28>:    movl   $0x1,0xfffffffc(%ebp)
0x8048527 <main+35>:    sub    $0x8,%esp
0x804852a <main+38>:    pushl  0xfffffffc(%ebp)
0x804852d <main+41>:    push   $0x80485c8
0x8048532 <main+46>:    call   0x8048360 <printf>
0x8048537 <main+51>:    add    $0x10,%esp
0x804853a <main+54>:    leave  
0x804853b <main+55>:    ret    
0x804853c <main+56>:    nop    
0x804853d <main+57>:    nop    
0x804853e <main+58>:    nop    
0x804853f <main+59>:    nop    
End of assembler dump.

I'm trying to jump paste the x = 1 assignment. He worked on Linux but I'm on FreeBSD and things are different.

[Tim]

Er, while function() is executing, you already have passed x=0. Or do you mean x=1?

Where did the number 8 come from?

What happens when you add -O1 or -O2 to the compiler command line?

(I know the answers to these questions but I'd be interested to see your explanation.)

[chris]

I meant x = 1, sorry. The code came right from the article, so the 8 was there to change the return value so it skipped the x = 1, but his disassembly is different than mine. I was not sure what -O1 and -O2 did so I tryed it and it didn't seem to do anything extra, I just get "assignment from incompatible pointer type", like before.

EDIT: A little man gcc gave the answer to what -O is for , and the gdb output has changed quite a bit

...is this still possible to do?

[Tim]

The point is, the value you add to (*ret) depends on the machine code used in the function you're returning to. I think it should be 7 in the listing you posted, but as soon as you change main(), or you change compilers, or optimization settings, the machine code will change.

[chris]

7 doesn't seem to work :-\. When I change the return value everything seems to just work as normal. Considering I'm changing it, wouldn't it mess everything up?

[Tim]

The point is:
-- Look at the disassembly. Work out where the CPU would return to after the CALL <function> instruction
-- Work out where you want the CPU to return to instead
-- Work out the difference between these two values
-- Increment the return address by this amount