C/Ubuntu ][ Problem in Buffer Overflow logic

  • Thread starter Borked Pseudo Mailed
  • Start date

B

Borked Pseudo Mailed

Programmatore said:
int a() {
printf("secret");

}

Change that to

printf("secret\n");

and you should get a pleasant surprise. What's happening
is that the function a() gets entered, but because stdout
is line-buffered on your system by default, you need the
newline character in the printf() string to flush the
stdout buffer.
Breakpoint 2, ciao (b=-1074078504) at xploitable.c:13
13 }
(gdb) x/40wx &sou
0xbffadca4: 0x41414141 0x080483eb 0x080483eb 0xbffadcd8
0xbffadcb4: 0x08048479 0xb809ff50 0x08048300 0x0804846b ...
Program received signal SIGSEGV, Segmentation fault.
0xbffadcda in ?? ()

The ebp register takes on the first 0x080483eb when ciao()
returns, and the eip register takes on the second 0x080483eb.
That eip value causes function a() to be entered. The old
ebp value, 0x080483eb, gets pushed on the stack below
0xbffadcd8. Then printf() is called, but because of the
buffering mentioned above, you don't see the "secret" output
string. When function a() returns, 0x080483eb gets restored to
ebp, while eip takes on the value 0xbffadcd8. From the second
stack dump, this memory location contains 0xbffadd38, which
is 0x38, 0xdd, 0xfa, 0xbf in little-endian order. The bytes
0x38, 0xdd correspond to the instruction cmp %bl,%ch, which
gets executed. Then the byte at 0xbffadcda is 0xfa, which is
the cli instruction, a privileged instruction in protected
mode. Trying to execute this instruction in unprivileged
mode raises a general protection fault on the x86. The Linux
kernel handler for a GPF is do_general_protection(), which
is defined in arch/x86/kernel/traps_32.c. This handler sends
the SIGSEGV signal to the process.

If you need any further help with your C security
programming - or even your C kernel programming - just post to
comp.lang.c, and some of us will be happy to help you.
Best of luck. :)

Yours,
Han from China
 
Ad

Advertisements

P

Programmatore

thank you Han very much, ur message was really detailed and i
appreciated it alot :)
ur infos made me try again with a real nice surprise :)

and also helped me with my second file, i noticed as with a memcpy
(&omg, &lol, strlen(lol)); it goes aswell, so the problem is in
strcpy, i'll investigate further.

i know this overflow things may seem as bad, malicious, in an italian
forum ( i'm italian ) mod closed my topic for this reason :|

ignorant people usually consider bad things they don't understand, as
they don't understand what in italian we call "thirst of knowledge"

thanks alot.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top