[framework] Buffer overflow in main
wbyoung at u.northwestern.edu
wbyoung at u.northwestern.edu
Wed Feb 27 22:30:24 CST 2008
This isn't Metasploit specific, but it seems like a good place to ask:
If I have a program:
int main() {
char buffer[64];
gets(buffer);
return 0;
}
On Ubuntu 7.10 using gcc with --no-stack-protector and -z execstack
options to compile, you can overflow the buffer and change the return
address of main, but when main completes, it does not return to the
address you might want.
In this program, you can inject a return address and it returns to the
address you specify:
void run() {
char buffer[64];
gets(buffer);
}
int main() {
run();
return 0;
}
I believe this has to do with the way libc returns from main, but if
someone could explain (in as much detail as possible) or point to a
resource that explains what is going on here, that'd be great. Thanks!
- Whitney Young
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2435 bytes
Desc: not available
Url : http://spool.metasploit.com/pipermail/framework/attachments/20080227/67b844d6/attachment.bin
More information about the Framework
mailing list