StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
6220369
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
8
CommunityOwnedDate
CreationDate
2011-06-02T21:03:16.010
FavoriteCount
0
LastActivityDate
2011-06-02T21:53:43.493
LastEditDate
2011-06-02T21:53:43.493
LastEditorUserId
479989
OwnerUserId
479989
ParentId
6220212
PostTypeId
2
Score
11
ViewCount
0
LastEditorDisplayName
text
Body
This 32-bit example illustrates how you can figure it out, see below for 64-bit: <pre><code>#include <stdio.h> void function() { char buffer[64]; char *p; asm("lea 4(%%ebp),%0" : "=r" (p)); // loads address of return address printf("%d\n", p - buffer); // computes offset buffer[p - buffer] += 9; // 9 from disassembling main } int main() { volatile int x = 7; function(); x++; printf("x = %d\n", x); // prints 7, not 8 } </code></pre> On my system the offset is 76. That's the 64 bytes of the buffer (remember, the stack grows down, so the start of the buffer is far from the return address) plus whatever other detritus is in between. Obviously if you are attacking an existing program you can't expect it to compute the answer for you, but I think this illustrates the principle. (Also, we are lucky that <code>+9</code> does not carry out into another byte. Otherwise the single byte increment would not set the return address how we expected. This example may break if you get unlucky with the return address within <code>main</code>) I overlooked the 64-bitness of the original question somehow. The equivalent for x86-64 is <code>8(%rbp)</code> because pointers are 8 bytes long. In that case my test build happens to produce an offset of 104. In the code above substitute <code>8(%%rbp)</code> using the double <code>%%</code> to get a single <code>%</code> in the output assembly. This is described in <a href="http://www.x86-64.org/documentation/abi.pdf" rel="noreferrer">this ABI document</a>. Search for <code>8(%rbp)</code>. There is a complaint in the comments that <code>4(%ebp)</code> is just as magic as <code>76</code> or any other arbitrary number. In fact the meaning of the register <code>%ebp</code> (also called the "frame pointer") and its relationship to the location of the return address on the stack is standardized. One illustration I quickly Googled is <a href="http://www.unixwiz.net/techtips/win32-callconv-asm.html" rel="noreferrer">here</a>. That article uses the terminology "base pointer". If you wanted to exploit buffer overflows on other architectures it would require similarly detailed knowledge of the calling conventions of that CPU.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POBuffer overflow in C
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USBen Jackson
UserOwnerUserId
1. USBen Jackson
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POBuffer overflow in C
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.