[framework] Buffer overflow in main

wbyoung at u.northwestern.edu wbyoung at u.northwestern.edu
Fri Feb 29 10:07:07 CST 2008 

Sorry I didn't explain a little more.  I understand buffer overflows and how
they work.  I've read Aleph One's Stack Smashing paper many times.  I can
overwrite the return address of the main function properly, which I've
confirmed in gdb.  Here's the disassembly of both functions.  Some responses
to me personally said to take this off list, so if this is really off topic,
feel free to let me know.
Here's the disassembly of the two functions.

0x08048374 <main+0>: lea    0x4(%esp),%ecx
0x08048378 <main+4>: and    $0xfffffff0,%esp
0x0804837b <main+7>: pushl  0xfffffffc(%ecx)
0x0804837e <main+10>: push   %ebp
0x0804837f <main+11>: mov    %esp,%ebp
0x08048381 <main+13>: push   %ecx
0x08048382 <main+14>: sub    $0x44,%esp
0x08048385 <main+17>: lea    0xffffffbc(%ebp),%eax
0x08048388 <main+20>: mov    %eax,(%esp)
0x0804838b <main+23>: call   0x80482c4 <gets at plt>
0x08048390 <main+28>: mov    $0x0,%eax
0x08048395 <main+33>: add    $0x44,%esp
0x08048398 <main+36>: pop    %ecx
0x08048399 <main+37>: pop    %ebp
0x0804839a <main+38>: lea    0xfffffffc(%ecx),%esp
0x0804839d <main+41>: ret

0x08048374 <run+0>: push   %ebp
0x08048375 <run+1>: mov    %esp,%ebp
0x08048377 <run+3>: sub    $0x48,%esp
0x0804837a <run+6>: lea    0xffffffc0(%ebp),%eax
0x0804837d <run+9>: mov    %eax,(%esp)
0x08048380 <run+12>: call   0x80482c4 <gets at plt>
0x08048385 <run+17>: leave
0x08048386 <run+18>: ret

On Fri, Feb 29, 2008 at 6:30 AM, bambam <bambam.quiescence at googlemail.com>
wrote:

> Maybe it's gcc adding calls to exit functions that call the callgate
> to syscall exit, so main never returns? Don't know, haven't looked at
> anything this shallow in ages.
>
> 2008/2/28  <wbyoung at u.northwestern.edu>:
> > This isn't Metasploit specific, but it seems like a good place to ask:
> >
> >  If I have a program:
> >
> >  int main() {
> >    char buffer[64];
> >    gets(buffer);
> >    return 0;
> >  }
> >
> >  On Ubuntu 7.10 using gcc with --no-stack-protector and -z execstack
> >  options to compile, you can overflow the buffer and change the return
> >  address of main, but when main completes, it does not return to the
> >  address you might want.
> >
> >  In this program, you can inject a return address and it returns to the
> >  address you specify:
> >
> >  void run() {
> >    char buffer[64];
> >    gets(buffer);
> >  }
> >
> >  int main() {
> >    run();
> >    return 0;
> >  }
> >
> >  I believe this has to do with the way libc returns from main, but if
> >  someone could explain (in as much detail as possible) or point to a
> >  resource that explains what is going on here, that'd be great.  Thanks!
> >
> >
> >  - Whitney Young
> >
> >
> >
> > _______________________________________________
> >  http://spool.metasploit.com/mailman/listinfo/framework
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20080229/1848834f/attachment.htm

More information about the Framework mailing list