Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Question reagarding Smashing the Stack

  1. #11
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    It would be a lot better if you posted your C code, and the gdb disassembly output for main and the function. That aside. It looks like you're loading the address ebp-24 onto eax, which I assume is a buffer. Then it looks like you're adding 48 to it. I think that you should actually be adding 28 to it. ebp is just below the return address in the stack. and since you loaded ebp-24 into eax, you only need to add 28 to get the address of the return address into eax. After that you just need to change the value at that address to the new address you want it to return to. To do that, you simply find the address after x is assigned the value 1 in main, and set *ret = that address in hex. Good luck, and I can probably help more if you post everything specified in the beginning of my post. I was having a hard time figuring out what was going on near the end of that function.

    edit
    I think I see now. You're just adding a certain amount to the return address. Look at the disas of main. The return address before you modify it will be the address of the instruction right after your call to the instruction. Count the amount you have to add to get it to move to the instruction right after it assigns x the value 1, then use that value in your (*ret) +=. I'm not sure how the optimization options will affect this. When I started out doing this I never used any weird options, just the standard -o and maybe -g.

  2. #12
    Junior Member
    Join Date
    Sep 2005
    Posts
    3
    H3r3tic:

    Here's the C code (from the Phrack 49 article)

    #include"stdio.h"
    void function(int a, int b, int c) {
    char buffer1[8];
    char buffer2[10];
    int *ret;

    ret = (int*)buffer1+12;
    (*ret) += 8;

    }

    int main() {
    int x;
    x = 0;
    function(1,2,3);

    x=1;
    printf("%d\n",x);
    return 0;
    }

    Here's the dump for the main function:

    Dump of assembler code for function main:
    0x08048346 <main+0>: push %ebp
    0x08048347 <main+1>: mov %esp,%ebp
    0x08048349 <main+3>: sub $0x8,%esp
    0x0804834c <main+6>: and $0xfffffff0,%esp
    0x0804834f <main+9>: mov $0x0,%eax
    0x08048354 <main+14>: sub %eax,%esp
    0x08048356 <main+16>: movl $0x0,0xfffffffc(%ebp)
    0x0804835d <main+23>: sub $0x4,%esp
    0x08048360 <main+26>: push $0x3
    0x08048362 <main+28>: push $0x2
    0x08048364 <main+30>: push $0x1
    0x08048366 <main+32>: call 0x8048328 <function>
    0x0804836b <main+37>: add $0x10,%esp
    0x0804836e <main+40>: movl $0x1,0xfffffffc(%ebp)
    0x08048375 <main+47>: sub $0x8,%esp
    0x08048378 <main+50>: pushl 0xfffffffc(%ebp)
    0x0804837b <main+53>: push $0x804843c
    0x08048380 <main+58>: call 0x8048268 <printf>
    0x08048385 <main+63>: add $0x10,%esp
    0x08048388 <main+66>: mov $0x0,%eax
    0x0804838d <main+71>: leave
    0x0804838e <main+72>: ret

    and here's the dump for the function "function"

    Dump of assembler code for function function:
    0x08048328 <function+0>: push %ebp
    0x08048329 <function+1>: mov %esp,%ebp
    0x0804832b <function+3>: sub $0x38,%esp
    0x0804832e <function+6>: lea 0xfffffff0(%ebp),%eax
    0x08048331 <function+9>: add $0x30,%eax
    0x08048334 <function+12>: mov %eax,0xffffffd4(%ebp)
    0x08048337 <function+15>: mov 0xffffffd4(%ebp),%edx
    0x0804833a <function+18>: mov 0xffffffd4(%ebp),%eax
    0x0804833d <function+21>: mov (%eax),%eax
    0x0804833f <function+23>: add $0x8,%eax
    0x08048342 <function+26>: mov %eax,(%edx)
    0x08048344 <function+28>: leave
    0x08048345 <function+29>: ret
    End of assembler dump.

    Actually you are right, that is exactly what I am trying to do (basically trying to skip the x=1 instruction), but it doesn't seem to work. Even tried adding 8 (and 10) to words from buffer1 to buffer+80 hoping that it'd atleast garble the IP and hence do a core dump, but to no avail. (code pasted below

    Meanwhile found about a bug in GCC 3.2 (h**p://gcc.gnu.org/bugzilla/show_bug.cgi?id=9624) which results in GCC allocating more buffer space than is required. Even after compensating for bigger buffer allocation the program produces nothing but "1". But even than the core dump should've happened in the scenario mentioned in the previous paragraph.

    If you need any more info do let me know!

    Regards,
    esprain

    ==========================================
    Now this should surely crash. shouldn't it? but it doesn't!

    void function(int a, int b, int c) {
    char buffer1[8];
    // char buffer2[10];
    int *ret;

    ret = (int*)buffer1;
    (*ret) += 20;
    ret = (int*)buffer1+4;
    (*ret) += 20;
    ret = (int*)buffer1+8;
    (*ret) += 20;
    ret = (int*)buffer1+12;
    (*ret) += 20;
    ret = (int*)buffer1+16;
    (*ret) += 20;
    ret = (int*)buffer1+20;
    (*ret) += 20;
    ret = (int*)buffer1+24;
    (*ret) += 20;
    ret = (int*)buffer1+28;
    (*ret) += 20;
    ret = (int*)buffer1+32;
    (*ret) += 20;
    ret = (int*)buffer1+36;
    (*ret) += 20;
    ret = (int*)buffer1+40;
    (*ret) += 20;
    ret = (int*)buffer1+44;
    (*ret) += 20;
    ret = (int*)buffer1+48;
    (*ret) += 20;
    ret = (int*)buffer1+52;
    (*ret) += 20;
    ret = (int*)buffer1+56;
    (*ret) += 20;
    ret = (int*)buffer1+60;
    (*ret) += 20;
    ret = (int*)buffer1+64;
    (*ret) += 20;
    ret = (int*)buffer1+68;
    (*ret) += 20;
    ret = (int*)buffer1+72;
    (*ret) += 20;
    ret = (int*)buffer1+76;
    (*ret) += 20;
    ret = (int*)buffer1+80;
    (*ret) += 20;

    }

    int main() {
    int x;
    x = 0;
    function(1,2,3);
    x=1;
    printf("%d\n",x);
    return 0;
    }

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •