Results 1 to 3 of 3

Thread: buffers and bytes

  1. #1
    Junior Member
    Join Date
    Dec 2004
    Posts
    12

    buffers and bytes

    here's something i m lost about...a particular C code looks like this

    int main(int argc,char **argv)
    {
    char buff[2];
    strcpy(buff,argv[1]);
    .....
    some code
    .....
    }

    The program gives segmentation fault if i pass argv[1] greater than 5 bytes ie starting from 6 bytes which implies 5 bytes can be copied to buff array.....now whys that and if its about over-writing saved frame pointer of 4 bytes ...then if i make buff of size 5 bytes ie char buff[5].........i can copy 27 bytes to it without segmentation fault which occurs when argv[1]>=28 bytes.................................
    (word size is 4 bytes)


    can someone explain......

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I was in vacation and just have seen this. Here you may have
    an example why an exploit code does not work generically,
    and why it is "hard" to write good (general) exploit code.


    You are analysing your own code, which you compile with a particular
    compiler on a particular platform, rather than a given binary. Hence,
    you have to check with a runtime debugger (gdb[1], ollydbg[2]) what
    actually is going on. Depending on you flags, the compiler might add
    operations to your code.


    The standard example: a memory excerpt of the most likely scenario
    (buff-size smaller than 5 bytes)

    Code:
    AB CD EF GH    <-- buff
    IJ KL MN OP    <-- ebp
    QR ST UV WX    <-- ret
    buff[0] fills GH, buff[1] fills EF, ....

    - if the buffer-size buff is smaller than 5 bytes, you will need 5 bytes
    to overwrite (part of) the ebp and 9 bytes to overwrite (part of)
    the return address. Even if you use 9 bytes, the program does not
    necessarily crash (but most likely). In any case, the bytes 9 to 12
    are controlling the return address.
    - if the buffer-size buff is between 5 and 8 bytes, you will need 9 bytes
    to overwrite (part of) the ebp etc....

    I have no explanation why you need more than 27 bytes to crash the program.
    As said: perform a runtime analysis of the memory to make sure to understand
    the binary.


    Can you exploit this?


    A test-question: Can you exploit

    a)
    Code:
    int main(int argc,char **argv)
    {
    char buff[2];
    char over[20];
    
      strncpy(over,argv[1],20);
    
    strcpy(buff,over);
    .....
    some code
    .....
    }
    or
    b)

    Code:
    int main(int argc,char **argv)
    {
    char over[20];
    char buff[2];
    
      strncpy(over,argv[1],20);
    
    strcpy(buff,over);
    .....
    some code
    .....
    }
    ?

    If yes, why? If no, why?

    Cheers

    [1] http://www.gnu.org/software/gdb/gdb.html
    [2] http://www.ollydbg.de/
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Junior Member
    Join Date
    Dec 2004
    Posts
    12
    thx for the reply...atleast now i ve got some start....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •