Dans un message du 08 avr à 23:21, darko écrivait :
> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
> }
>
> main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
> }
>
> I want, after the call to f(), the program jump to printf() so the
> value of x should remain 0, not 1. I always get segmentation faults,
> bus errors, etc. and never that fuc*ing "x = 0" !! Tested on a
> Celeron 433, red hat 7.2, gcc 2.96.

It depends on your compiler.

If I compile this program on an x86 box with gcc 2.95.2, I get
(using objdump -d on the binary)

 80483fa: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp)
 8048401: e8 ce ff ff ff call 80483d4 <f>
 8048406: c7 45 fc 01 00 00 00 movl $0x1,0xfffffffc(%ebp)
 804840d: 83 c4 f8 add $0xfffffff8,%esp

you want to skip 8049406, so you have to add 7 to the return value.

If I modify (*b) += 0x8; to (*b) += 7;, I get :

guillaumcedar ~$ ./foo
0
guillaumcedar ~$

HTH.

-- 
Guillaume Morin <guillaumemorinfr.org>
        Justice is lost, Justice is raped, Justice is done. (Metallica)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]