From: Geoffroy Raimbault (graimbault@lynx-technologies.com)
Date: Wed Jul 31 2002 - 12:34:11 EDT
In fact, you don't really modify x, but you modify the saved EIP of
"function()" to jump after the piece of code that set x to 1 : "movl
$0x1,0xfffffffc(%ebp)" so that you really "bypass" the "x=1" statement.
Concerning the problem of Leonard, it's may be due to the size affected by
gcc to the local variables when it have to make a 4-bytes alignement.
Normally it should allocate 8 bytes for char buffer1[5] (you round to the
next multiple of 4 bytes to have a 4-byte alignment). Sometimes, gcc doesn't
round as expected. You should try this code, which allocate 8 bytes for
buffer1, and so, no problems of alignment.
You should also take a look at Vuln Dev, a recent discussion treated of this
problem.
void function(int a, int b, int c)
{
char buffer1[8]; // Allocate 8 bytes for buffer1
int *ret;
ret = buffer1 + 12; // after that, ret points to saved EIP
(*ret) += 8; // you modify saved EIP to jump the "x=1" statement
}
void main() {
int x;
x=0;
function(1,2,3);
x=1;
printf("x= %d\n",x);
}
Geof
----- Original Message -----
From: "jmiller" <secadmin@subversive.cc>
Cc: <pen-test@securityfocus.com>
Sent: Wednesday, July 31, 2002 8:54 AM
Subject: Re: Buffer Overflow Help
> <snip>
>
> > > The following example should bypass the "x=1" statement and print the
> > > original value of "x" which is 0 (zero). Here's the code.
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=
> > > void function(int a, int b, int c) {
> > > char buffer1[5];
> > > char buffer2[10];
> > > int *ret;
> > >
> > > ret = buffer1 + 12;
> > > (*ret) += 8;
> > > }
>
> i am failing to see how this should bypass anything,
> it is all byval, not byref. this function is isolated from your prog.
> bufffer1, buffer2, and ret are all dissapearing when the function is
done...
>
> i am also failing to see how the function would affect x at all.
>
> JMiller
>
>
> > >
> > > void main() {
> > > int x;
> > >
> > > x=0;
> > > function(1,2,3);
> > > x=1;
> > > printf("%d\n",x);
> > > }
> > > -=-=-=-=-=-=-=-=-=-=-=-=
> > >
> > > When I compile and execute this code it displays one and exits. I have
> tryed
> > > this on RedHat 7.3 and Debian 2.2r6, both giving me the same result.
> Does
> > > anyone have any insight into why this wouldn't work? After looking
into
> the
> > > assembly behind it, I think it has something to do with the "word
size",
> but
> > > can't seem to find any information as to what the "word size" is in
> Debian
> > > or RedHat.
> > >
> > > Any and All comments/suggestions are more than welcome. Also if anyone
> knows
> > > of some other good text files/documents that talk about buffer
overflows
> I
> > > would be happy to receive links.
> > >
> > > Leonard Leblanc
> > >
> > >
> > >
> >
>
> --------------------------------------------------------------------------
> --
> > > This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> > > Service. For more information on SecurityFocus' SIA service which
> > > automatically alerts you to the latest security vulnerabilities please
> see:
> > > https://alerts.securityfocus.com/
> > >
> > >
> > >
> >
> >
> > --
> >
> > Public-key [ http://home.no.net/jullum/ejl.asc ]
> >
> >
>
> --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please
> see:
> > https://alerts.securityfocus.com/
> >
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT