linux-assembly.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Stacklayout GCC 4.1.2. - EBP differs?
@ 2007-11-23 16:04 copyandpaste
  0 siblings, 0 replies; 2+ messages in thread
From: copyandpaste @ 2007-11-23 16:04 UTC (permalink / raw)
  To: linux-assembly@vger.kernel.org

Hello,
I currently read a book about buffer overflows and format string vulns.
During my readings in the book I found something that I dont understand. 

I have the following code:


-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Stacklayout GCC 4.1.2. - EBP differs?
@ 2007-11-23 16:19 copyandpaste
  0 siblings, 0 replies; 2+ messages in thread
From: copyandpaste @ 2007-11-23 16:19 UTC (permalink / raw)
  To: linux-assembly@vger.kernel.org

[-- Attachment #1: Type: text/plain, Size: 1697 bytes --]

Hello,

sorry for the spam. 
Again... read a book about buffer overflows and format string vulns.
In my attachment is the vulnerable code. 
I compiled it with gcc -g -o stack_bof stack_bof.c and ran it with gdb 6.7.1.
In gdb I made a breakpoint at the end of the function 'funktion' (line 11) and ran it with the input of 11 times 'A'. 

When the program interrupts at the breakpoint, I examined the stack frame of the function by doing 
(gdb) x/6x buff2 
which gave the following result:
0xbfa39a08:0x00434241   0x41414141  0x41414141   0x00414141
0xbfa39a18:0xbfa39a38   0x0804843d

So the stack contains the "ABC" from buff2 and all the 11 "A"s from buff1.
After that comes the saved frame pointer from main() and the RIP from main().
So here the register EBP was 0xbfa39a38.

_But_ if let gdb show me the frames by typing 

(gdb) bt
#0  funktion (args=0xbfa3b247 'A' <repeats 11 times>) at stack_bof.c:11
#1  0x0804843d in main (argc=2, argv=0xbfa39ad4) at stack_bof.c:19
and 
(gdb) info frame 0
Stack frame at 0xbfa39a20:
 eip = 0x8048400 in funktion (stack_bof.c:11); saved eip 0x804843d
 called by frame at 0xbfa39a40
 source language c.
 Arglist at 0xbfa39a18, args: args=0xbfa3b247 'A' <repeats 11 times>
 Locals at 0xbfa39a18, Previous frame's sp is 0xbfa39a20
 Saved registers:
  ebp at 0xbfa39a18, eip at 0xbfa39a1c

I dont understand the output anymore. Because it says the saved EBP is at adress 0xbfa39a18 (like some lines ago), _but_ it has a different value: 0xbfa39a40. 

Why? Why is it one time 0xbfa39a40 and one time 0xbfa39a38?

Thanks for your help!



-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

[-- Attachment #2: stack_bof.c --]
[-- Type: text/x-csrc, Size: 318 bytes --]

#include <stdio.h>
#include <string.h>

void
funktion (char *args)
{
	char buff1[12];
	char buff2[4] = "ABC";

	strcpy (buff1, args);
}

int
main (int argc, char *argv[])
{
	printf ("Eingabe: ");

	if (argc > 1) {
		funktion (argv[1]);
		printf ("%s\n", argv[1]);
	}
	else
		printf ("Kein Argument!\n");

	return 0;
}

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-11-23 16:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-23 16:04 Stacklayout GCC 4.1.2. - EBP differs? copyandpaste
  -- strict thread matches above, loose matches on Subject: below --
2007-11-23 16:19 copyandpaste

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).