> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
> }
>
> main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
> }

hello .

I tested it on my Freebsd 4.5 (gcc version 2.95.3 20010315 (release)
[FreeBSD]).
Let's start gdb:

disassem main:
0x80484c4 <main>: push %ebp
0x80484c5 <main+1>: mov %esp,%ebp
0x80484c7 <main+3>: sub $0x18,%esp
0x80484ca <main+6>: movl $0x0,0xfffffffc(%ebp)
0x80484d1 <main+13>: call 0x80484a4 <f>

0x80484d6 <main+18>: movl $0x1,0xfffffffc(%ebp)
0x80484dd <main+25>: add $0xfffffff8,%esp
!!!! it's 7 bytes difference not 8

0x80484e0 <main+28>: mov 0xfffffffc(%ebp),%eax
0x80484e3 <main+31>: push %eax
0x80484e4 <main+32>: push $0x8048533
0x80484e9 <main+37>: call 0x8048358 <printf>
0x80484ee <main+42>: add $0x10,%esp

So try only change in function f():
  (*b) += 0x8;
to
 (*b) += 0x7;

For me it works perfect.

cheers
Rafal

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]