Re: Buffer Overflow Help

From: Rafael Coninck Teigao (rafael@safecore.net)
Date: Wed Jul 31 2002 - 11:33:33 EDT


> > > -=-=-=-=-=-=-=-=-=-=-=-=-=
> > > void function(int a, int b, int c) {
> > > char buffer1[5];
> > > char buffer2[10];
> > > int *ret;
> > >
> > > ret = buffer1 + 12;
> > > (*ret) += 8;
> > > }
>
> i am failing to see how this should bypass anything,
> it is all byval, not byref. this function is isolated from your prog.
> bufffer1, buffer2, and ret are all dissapearing when the function is
> done...

        You're right to the point that all those functions and variables are gone
once the function is finished. But, if you look at the stack, you'll see that
the offset for "buffer1" is 8 bytes from "SFP" (your saved frame pointer), and
that is 4 bytes from "RET" (not the variable, but your saved IP). So 8+4=12.
As you can see, the address of "ret" (the variable) is set to buffer1 + 12,
which equals to the address of RET.
        Now, when you change whatever there is em "ret", you are in reality changing
what is stored in RET, which means you can control the pointer to the next
execution code after the function returns. If you do "(*ret) += 8", you are
taking the RET stored address (a content pointing to the next code after
return) and adding 8 to it.

>
> i am also failing to see how the function would affect x at all.

        Now, remember that the "x=1" assignment address was 8 bytes after the
function call and that you've set the return address to be exactly this point,
thus the next code to be executed is what comes next to "x=1" (since the IP
points to the actual instruction and the next code the be executed is the one
that comes next to it), never assigning 1 to "x" (which keeps 0 as it's
value).

        []'s,
        Rafael Coninck Teigao
        SafeCore Network Solutions
        http://SafeCore.NET
        +55 41 224 1785
        +49 175 650 2754

------------------------------------------------------------------------
"The only people for me are the mad ones -- the ones who are mad to
live, mad to talk, mad to be saved, desirous of everything at the same
time, the ones who never yawn or say a commonplace thing, but burn,
burn, burn like fabulous yellow Roman candles."
    -- Jack Kerouac, "On the Road"
------------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT