C/Ubuntu ][ Problem in Buffer Overflow logic


G

George Orwell

Programmatore said:
#include <stdio.h>

void vulnerable(char *lol) {
char omg[4];

// OMG! AN UNPROTECTED STRCPY!
strcpy(omg, lol);
puts("Everything's gone pretty fine");

}

void usage() {
puts("Usage: %s TEXT-TO-COPY");

}

int main( int argc, char *argv[] ) {
if(argc==1) usage(); else vulnerable(argv[1]);

}

it should copy 4 bytes in total, so there should be enough space
allocated for a string such as "AAAA", but if i give victim a "AAAA"
string, a 0x00 overflows in the ebp... why? and also... why if the ebp

No. The string "AAAA" includes the four A characters plus the terminating
0x00 (NUL) character. C strings are NUL-terminated. strcpy() copies all
five characters.
is overwritten, memory goes in stack segmentation fault? the eip
shouldn't be affected by ebp address... or should it? ...
0xbf86a584: 0x080495d8 0xbf86a5a8 0x080483ef 0xbf86c732 ...
0xbf86a584: 0x41414141 0xbf86a500 0x080483ef 0xbf86c732

Not right away, but eventually the program will be affected. As you
can see, 0xbf86a5a8 has been changed to 0xbf86a500. This value goes
into the ebp register when vulnerable() returns. So far no problem.
But then when main() returns, the following happens (which may
appear in the disassembly as a 'leave' instruction):

mov %ebp,%esp
pop %ebp
ret

So the corrupted ebp value, 0xbf86a500, ends up determining
where ebp and eip are taken from when main() returns. The
segmentation fault you're getting is occurring when main()
returns, not when vulnerable() returns. If you were able to
store your own return value at 0xbf86a500 + 4 = 0xbf86a504
(often possible in programs with large buffers), then you
would gain control when main() returns.

Hope that helps. Any further questions, just ask.

Yours,
Han from China


Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top