-
October 26th, 2005, 07:28 PM
#1
Junior Member
buffers and bytes
here's something i m lost about...a particular C code looks like this
int main(int argc,char **argv)
{
char buff[2];
strcpy(buff,argv[1]);
.....
some code
.....
}
The program gives segmentation fault if i pass argv[1] greater than 5 bytes ie starting from 6 bytes which implies 5 bytes can be copied to buff array.....now whys that and if its about over-writing saved frame pointer of 4 bytes ...then if i make buff of size 5 bytes ie char buff[5].........i can copy 27 bytes to it without segmentation fault which occurs when argv[1]>=28 bytes.................................
(word size is 4 bytes)
can someone explain......
-
November 5th, 2005, 10:48 AM
#2
Hi
I was in vacation and just have seen this. Here you may have
an example why an exploit code does not work generically,
and why it is "hard" to write good (general) exploit code.
You are analysing your own code, which you compile with a particular
compiler on a particular platform, rather than a given binary. Hence,
you have to check with a runtime debugger (gdb[1], ollydbg[2]) what
actually is going on. Depending on you flags, the compiler might add
operations to your code.
The standard example: a memory excerpt of the most likely scenario
(buff-size smaller than 5 bytes)
Code:
AB CD EF GH <-- buff
IJ KL MN OP <-- ebp
QR ST UV WX <-- ret
buff[0] fills GH, buff[1] fills EF, ....
- if the buffer-size buff is smaller than 5 bytes, you will need 5 bytes
to overwrite (part of) the ebp and 9 bytes to overwrite (part of)
the return address. Even if you use 9 bytes, the program does not
necessarily crash (but most likely). In any case, the bytes 9 to 12
are controlling the return address.
- if the buffer-size buff is between 5 and 8 bytes, you will need 9 bytes
to overwrite (part of) the ebp etc....
I have no explanation why you need more than 27 bytes to crash the program.
As said: perform a runtime analysis of the memory to make sure to understand
the binary.
Can you exploit this?
A test-question: Can you exploit
a)
Code:
int main(int argc,char **argv)
{
char buff[2];
char over[20];
strncpy(over,argv[1],20);
strcpy(buff,over);
.....
some code
.....
}
or
b)
Code:
int main(int argc,char **argv)
{
char over[20];
char buff[2];
strncpy(over,argv[1],20);
strcpy(buff,over);
.....
some code
.....
}
?
If yes, why? If no, why?
Cheers
[1] http://www.gnu.org/software/gdb/gdb.html
[2] http://www.ollydbg.de/
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
November 5th, 2005, 03:20 PM
#3
Junior Member
thx for the reply...atleast now i ve got some start....
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|