a newbie wonders...
I'm reading Aleph1's seminal article on buffer overflow vulnerabilities from Phrack
49, and working through the following example code:
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 8;
}
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
The code's supposed to overwrite the return address of function() so that the x=1;
instruction gets skipped.
The assumption is that the return address is 12 bytes away from the beginning of
buffer1[] (8 bytes of buffer, then the stack frame pointer, then the return address),
and we want to add an offset to the return address so it equals the printf() call,
skipping the x=1; assignment.
When I run this code, which is ripped straight from the article, the x=1; instruction
doesn't get skipped. I've run it through gdb, checked my math, and everything seems
okay. When I have the program print the return address values, I get weird things -
the return address should be something like 0x804849B, but prints out as OxE12E4001D.
I'm doing all this on a Linux system, which is the target system in Aleph1's article.
My question is this - has anything changed in Linux or the i386 architecture during
the last 5 years (since the article was written) that would invalidate this code?
Also, are there any details I'm missing, or that were missing from the article
originally?
Many apologies if this isn't appropriate traffic for the list.
Thanks a lot...
-eric
