Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>A buffer overflow attack is a lot more complex than this. First of all you need to understand assembler in order to perform this. After you disassemble the program and function you want to target you need to determine the stack layout when it's executing that function. Here's a sample of a buffer overflow it's using visual studio but principle is the same.</p> <pre><code>#include "stdafx.h" #include &lt;math.h&gt; volatile double test; double function3() { test++; return exp(test); } double function2() { return log(test); } double function1() { int a[5] = {0}; a[7] = (int)&amp;function3; return exp(function2()); } int _tmain(int argc, _TCHAR* argv[]) { double a = function1(); test = a; return a; } </code></pre> <p>Thanks to disassembly we know that a in function1 is allocated before where the function saved the stack frame pointer. The value after that one is the return address where function1 should go to if it is finished.</p> <pre><code>00401090 55 push ebp &lt;- we save the stack pointer 00401091 8B EC mov ebp,esp 00401093 83 EC 1C sub esp,1Ch &lt;- save space to allocate a[5] 00401096 B8 CC CC CC CC mov eax,0CCCCCCCCh 0040109B 89 45 E4 mov dword ptr [ebp-1Ch],eax &lt;- crt debug init a[5] 0040109E 89 45 E8 mov dword ptr [ebp-18h],eax 004010A1 89 45 EC mov dword ptr [ebp-14h],eax 004010A4 89 45 F0 mov dword ptr [ebp-10h],eax 004010A7 89 45 F4 mov dword ptr [ebp-0Ch],eax 004010AA 89 45 F8 mov dword ptr [ebp-8],eax 004010AD 89 45 FC mov dword ptr [ebp-4],eax </code></pre> <p>From this we can conclude if we overwrite a[7] with a different address, the function will return not to main but with whatever address we wrote in a[7].</p> <p>Hope this helps.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload