Page 1 of 1
Modifying return values
Posted: Sat Feb 28, 2004 5:31 pm
by chris
I was reading the article "Smashing the Stack for Fun and Profit" from Phrack 49 and was trying to get one buffer overflow example gave to work.
Code: Select all
void function(void) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 8;
}
int main(void) {
int x;
x = 0;
function();
x = 1;
printf("%d\n",x);
}
Code: Select all
(gdb) disassemble main
Dump of assembler code for function main:
0x8048504 <main>: push %ebp
0x8048505 <main+1>: mov %esp,%ebp
0x8048507 <main+3>: sub $0x8,%esp
0x804850a <main+6>: and $0xfffffff0,%esp
0x804850d <main+9>: mov $0x0,%eax
0x8048512 <main+14>: sub %eax,%esp
0x8048514 <main+16>: movl $0x0,0xfffffffc(%ebp)
0x804851b <main+23>: call 0x80484e4 <function>
0x8048520 <main+28>: movl $0x1,0xfffffffc(%ebp)
0x8048527 <main+35>: sub $0x8,%esp
0x804852a <main+38>: pushl 0xfffffffc(%ebp)
0x804852d <main+41>: push $0x80485c8
0x8048532 <main+46>: call 0x8048360 <printf>
0x8048537 <main+51>: add $0x10,%esp
0x804853a <main+54>: leave
0x804853b <main+55>: ret
0x804853c <main+56>: nop
0x804853d <main+57>: nop
0x804853e <main+58>: nop
0x804853f <main+59>: nop
End of assembler dump.
I'm trying to jump paste the
x = 1 assignment. He worked on Linux but I'm on FreeBSD and things are different.
Re:Modifying return values
Posted: Sat Feb 28, 2004 6:20 pm
by Tim
Er, while function() is executing, you already have passed x=0. Or do you mean x=1?
Where did the number 8 come from?
What happens when you add -O1 or -O2 to the compiler command line?
(I know the answers to these questions but I'd be interested to see your explanation.)
Re:Modifying return values
Posted: Sat Feb 28, 2004 6:27 pm
by chris
I meant
x = 1, sorry. The code came right from the article, so the 8 was there to change the return value so it skipped the
x = 1, but his disassembly is different than mine. I was not sure what -O1 and -O2 did so I tryed it and it didn't seem to do anything extra, I just get "assignment from incompatible pointer type", like before.
EDIT: A little
man gcc gave the answer to what -O is for
, and the gdb output has changed quite a bit
...is this still possible to do?
Re:Modifying return values
Posted: Sun Feb 29, 2004 7:19 am
by Tim
The point is, the value you add to (*ret) depends on the machine code used in the function you're returning to. I think it should be 7 in the listing you posted, but as soon as you change main(), or you change compilers, or optimization settings, the machine code will change.
Re:Modifying return values
Posted: Mon Mar 01, 2004 5:29 pm
by chris
7 doesn't seem to work :-\. When I change the return value everything seems to just work as normal. Considering I'm changing it, wouldn't it mess everything up?
Re:Modifying return values
Posted: Mon Mar 01, 2004 6:11 pm
by Tim
The point is:
-- Look at the disassembly. Work out where the CPU would return to after the CALL <function> instruction
-- Work out where you want the CPU to return to instead
-- Work out the difference between these two values
-- Increment the return address by this amount