h3llfyr3
19-09-05, 19:24
Trying to work out what's going on with my buffer overflow.
My code
void return_input (void) {
char array[30];
gets (array);
printf("%s\n", array);
}
main () {
return_input();
return 0;
}
OK my buffer is 30 bytes long, but because of the way memory is allocated it is actually
32 bytes long.so i write in 40 bytes of data and that will overwrite both ebp and eip as they are 4 bytes each.
So when do my
h3llfyr3@slax:~$ perl -e 'print "A"x40 '|overflow
I get
(gdb) info registers
eax 0x0 0
ecx 0x40142840 1075062848
edx 0x29 41
ebx 0x40141ff4 1075060724
esp 0xbffff508 0xbffff508
ebp 0x41414141 0x41414141
esi 0xbffff58c -1073744500
edi 0x1 1
eip 0x41414141 0x41414141
eflags 0x210286 2163334
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x0 0
which is correct as my ebp and eip have now been overwritten with A's.
I'm not sure where the space reserved for my array is I know that 32 in hex is 0x20
but can't find a reference to it anywhere, this is confusing me.
Below is my disas of main and return input with gdb.Letting me know what is right / wrong would be a geat help.
Thanks for bearing with me.
(gdb) disas main
Dump of assembler code for function main:
0x080483ef <main+0>: push %ebp
I think what this is doing is first storing the base pointer on the stack
0x080483f0 <main+1>: mov %esp,%ebp
Now it's moving the stack pointer into the base pointer
0x080483f2 <main+3>: sub $0x8,%esp
I think this is reserving space for my variable by subtracting 8 from the stack pointer
0x080483f5 <main+6>: and $0xfffffff0,%esp
or this might be the space reserved for my variable?
0x080483f8 <main+9>: mov $0x0,%eax
adding something to the accumulation regster
0x080483fd <main+14>: sub %eax,%esp
not sure
0x080483ff <main+16>: call 0x80483c4 <return_input>
This is the ret address that EIP will go back to after
the data from array has been collected, my shellcode should start in
the address referenced here.
0x08048404 <main+21>: mov $0x0,%eax
not sure here either
0x08048409 <main+26>: leave
might be finishing the function
0x0804840a <main+27>: ret
this is my ret address so the instructions at 0x0804840a is where
my shellcode must start, or i need to overwrite the ret address with a new one.....
I also can't see anything in, again I'm looking for that 0x20 that is my 30 chars.
Dump of assembler code for function return_input:
0x080483c4 <return_input+0>: push %ebp
0x080483c5 <return_input+1>: mov %esp,%ebp
0x080483c7 <return_input+3>: sub $0x28,%esp
0x080483ca <return_input+6>: sub $0xc,%esp
0x080483cd <return_input+9>: lea 0xffffffd8(%ebp),%eax
0x080483d0 <return_input+12>: push %eax
0x080483d1 <return_input+13>: call 0x80482c4 <_init+40>
0x080483d6 <return_input+18>: add $0x10,%esp
0x080483d9 <return_input+21>: sub $0x8,%esp
0x080483dc <return_input+24>: lea 0xffffffd8(%ebp),%eax
0x080483df <return_input+27>: push %eax
0x080483e0 <return_input+28>: push $0x8048524
0x080483e5 <return_input+33>: call 0x80482e4 <_init+72>
0x080483ea <return_input+38>: add $0x10,%esp
0x080483ed <return_input+41>: leave
0x080483ee <return_input+42>: ret
My code
void return_input (void) {
char array[30];
gets (array);
printf("%s\n", array);
}
main () {
return_input();
return 0;
}
OK my buffer is 30 bytes long, but because of the way memory is allocated it is actually
32 bytes long.so i write in 40 bytes of data and that will overwrite both ebp and eip as they are 4 bytes each.
So when do my
h3llfyr3@slax:~$ perl -e 'print "A"x40 '|overflow
I get
(gdb) info registers
eax 0x0 0
ecx 0x40142840 1075062848
edx 0x29 41
ebx 0x40141ff4 1075060724
esp 0xbffff508 0xbffff508
ebp 0x41414141 0x41414141
esi 0xbffff58c -1073744500
edi 0x1 1
eip 0x41414141 0x41414141
eflags 0x210286 2163334
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x0 0
which is correct as my ebp and eip have now been overwritten with A's.
I'm not sure where the space reserved for my array is I know that 32 in hex is 0x20
but can't find a reference to it anywhere, this is confusing me.
Below is my disas of main and return input with gdb.Letting me know what is right / wrong would be a geat help.
Thanks for bearing with me.
(gdb) disas main
Dump of assembler code for function main:
0x080483ef <main+0>: push %ebp
I think what this is doing is first storing the base pointer on the stack
0x080483f0 <main+1>: mov %esp,%ebp
Now it's moving the stack pointer into the base pointer
0x080483f2 <main+3>: sub $0x8,%esp
I think this is reserving space for my variable by subtracting 8 from the stack pointer
0x080483f5 <main+6>: and $0xfffffff0,%esp
or this might be the space reserved for my variable?
0x080483f8 <main+9>: mov $0x0,%eax
adding something to the accumulation regster
0x080483fd <main+14>: sub %eax,%esp
not sure
0x080483ff <main+16>: call 0x80483c4 <return_input>
This is the ret address that EIP will go back to after
the data from array has been collected, my shellcode should start in
the address referenced here.
0x08048404 <main+21>: mov $0x0,%eax
not sure here either
0x08048409 <main+26>: leave
might be finishing the function
0x0804840a <main+27>: ret
this is my ret address so the instructions at 0x0804840a is where
my shellcode must start, or i need to overwrite the ret address with a new one.....
I also can't see anything in, again I'm looking for that 0x20 that is my 30 chars.
Dump of assembler code for function return_input:
0x080483c4 <return_input+0>: push %ebp
0x080483c5 <return_input+1>: mov %esp,%ebp
0x080483c7 <return_input+3>: sub $0x28,%esp
0x080483ca <return_input+6>: sub $0xc,%esp
0x080483cd <return_input+9>: lea 0xffffffd8(%ebp),%eax
0x080483d0 <return_input+12>: push %eax
0x080483d1 <return_input+13>: call 0x80482c4 <_init+40>
0x080483d6 <return_input+18>: add $0x10,%esp
0x080483d9 <return_input+21>: sub $0x8,%esp
0x080483dc <return_input+24>: lea 0xffffffd8(%ebp),%eax
0x080483df <return_input+27>: push %eax
0x080483e0 <return_input+28>: push $0x8048524
0x080483e5 <return_input+33>: call 0x80482e4 <_init+72>
0x080483ea <return_input+38>: add $0x10,%esp
0x080483ed <return_input+41>: leave
0x080483ee <return_input+42>: ret