Domanda
Im trying to play with buffer overflows. I don't understand what's going on here with the value of eip.
Here is the C code :
https://stackoverflow.com/questions/19756602
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianvoid copy(char *arg) {
char msg[256];
strcpy(msg,arg);
}
The assembly for it :
0x804847d <copy+25>: call 0x8048368 <strcpy@plt>
0x8048482 <copy+30>: leave
0x8048483 <copy+31>: ret
I input as an argument a string like "_\xAA\xBB\xCC\xDD" with a size calculated so that the last 4 bytes will be 4 bytes after $ebp (in order to overwrite the real return address). And it seems to work.
in gdb:
(break before strcpy)
x/2wx $ebp
0xbffffb38: 0xbffffb58 0x080484d2
n
(just after strcpy execution)
x/2wx $ebp
0xbffffb38: 0x80cdd189 0x080484b6
...
n
...
x/2wx $ebp
0xbffffb38: 0x80cdd189 0x080484b6
So the return address was 0x080484d2 and after my overflow it is 0x080484b6, which is what I want. but the program exits : "Cannot access memory at address 0x80cdd18d".
I don't know why $eip was not set to my address, and because of the address of the code in 0x08048... I am pretty confident that $ebp+4 was the place containing the return address
I tried again with a string 4 bytes smaller and this time it overwrote $ebp and not $ebp+4 and after the return the $eip was set to the value contained in $ebp+4
Any explanations ?
Soluzione
Ok, so thanks @Wumpus Q. Wumbley, this helped me understand things.
Doing next jumps leave and ret altogether. ret is the instruction that changes eip, it must be equivalent of pop eip. But leave modifies the stack pointers esp and ebp before (especially because when I am overwriting ebp+4 I change the value contained at ebp)
TLDR : Not overwriting the value at ebp makes it work successfully.
Altri suggerimenti
If this is for x86 (as opposed to x86-64), the usual function prologue involves pushing ebp and then assigning it the value of esp, which would leave the return address on the stack at ebp+4.
Take a look at a disassembly of your function, and see if the first instructions look like this:
pushl %ebp
movl %esp, %ebp
If so, this is the cause of the offset.
