Why this isnt exploitable with the exit function

Question

I have a piece of code that just strcpy() the argv1 in a buffer of 100 bytes long. After that I am placing for testing purposes the exit(0) or exit(1) function. Nothing else used. What I am getting back from gdb is the following

 (gdb) i r eip
 eip            0x8048455   0x8048455 <main+65>
 (gdb) info frame
 Stack level 0, frame at 0xbffff260:
eip = 0x8048455 in main (exploitable.c:9); saved eip 0x41414141
source language c.
Arglist at 0xbffff258, args: argc=1094795585, argv=0xbffff304
 Locals at 0xbffff258, Previous frame's sp is 0xbffff260
 Saved registers:
 ebp at 0xbffff258, eip at 0xbffff25c
(gdb) i r eip
eip            0x8048455    0x8048455 <main+65>
(gdb) c
Continuing.
[Inferior 1 (process 2829) exited normally]

Since the saved eip is 0x41414141 why after leaving this current stack the execution is going to the invalid 0x41414141 address? For sure it has something to do with the exit function but I cant understand it :/

I know that the explanation is in the following code but I cant get it

   => 0x08048455 <+65>: mov    DWORD PTR [esp],0x0
   0x0804845c <+72>:    call   0x8048350 <exit@plt>

The last line implies that the execution goes to the exit function and im not sure that the 0x08040455 line shows the 0 argument that passes to exit function. Exit function does not have any leave / ret instructions when it is running ? Because the saved-eip of the frame that is "just" outside the main is overwritten!

Answer 1

The exit function does not return. It calls function defined with atexit(), does some cleanup, and terminates the process by calling Linux with function 0 (EXIT).

Use return 1 / return 0 instead of exit(1) / exit(0), if you want to check what happens with your EIP after main() is finished.