Buffer Overflow Help

From: Leonard Leblanc (lleblanc@emergeknowledge.com)
Date: Tue Jul 30 2002 - 11:48:49 EDT


Hello All,

I am trying to experience buffer overflows first hand. I have glanced at a
number of articles and have decided to focus on "Smashing the Stack for Fun
and Profit" from Phrack Issue 49. I am trying out the examples from the text
and when I get to example 3 (which is the first real overflow example) it
doesn't quite work and I'm having a little trouble figuring it out.

The following example should bypass the "x=1" statement and print the
original value of "x" which is 0 (zero). Here's the code.

-=-=-=-=-=-=-=-=-=-=-=-=-=
void function(int a, int b, int c) {
  char buffer1[5];
  char buffer2[10];
  int *ret;

  ret = buffer1 + 12;
  (*ret) += 8;
}

void main() {
  int x;

  x=0;
  function(1,2,3);
  x=1;
  printf("%d\n",x);
}
-=-=-=-=-=-=-=-=-=-=-=-=

When I compile and execute this code it displays one and exits. I have tryed
this on RedHat 7.3 and Debian 2.2r6, both giving me the same result. Does
anyone have any insight into why this wouldn't work? After looking into the
assembly behind it, I think it has something to do with the "word size", but
can't seem to find any information as to what the "word size" is in Debian
or RedHat.

Any and All comments/suggestions are more than welcome. Also if anyone knows
of some other good text files/documents that talk about buffer overflows I
would be happy to receive links.

Leonard Leblanc

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT