2

Im trying to play with buffer overflows. I don't understand what's going on here with the value of eip.

Here is the C code :

void copy(char *arg) {
  char msg[256];
  strcpy(msg,arg);
}

The assembly for it :

0x804847d <copy+25>:    call   0x8048368 <strcpy@plt>
0x8048482 <copy+30>:    leave  
0x8048483 <copy+31>:    ret

I input as an argument a string like "_\xAA\xBB\xCC\xDD" with a size calculated so that the last 4 bytes will be 4 bytes after $ebp (in order to overwrite the real return address). And it seems to work.

in gdb:

(break before strcpy)
x/2wx $ebp
0xbffffb38: 0xbffffb58  0x080484d2
n
(just after strcpy execution)
x/2wx $ebp
0xbffffb38: 0x80cdd189  0x080484b6
...
n
...
x/2wx $ebp
0xbffffb38: 0x80cdd189  0x080484b6

So the return address was 0x080484d2 and after my overflow it is 0x080484b6, which is what I want. but the program exits : "Cannot access memory at address 0x80cdd18d".

I don't know why $eip was not set to my address, and because of the address of the code in 0x08048... I am pretty confident that $ebp+4 was the place containing the return address

I tried again with a string 4 bytes smaller and this time it overwrote $ebp and not $ebp+4 and after the return the $eip was set to the value contained in $ebp+4

Any explanations ?

Improve this question
5
  • Maybe the attempt to access 0x80cdd18d was a result of running the instruction(s) at 0x80484b6. How do you know it didn't jump there? Commented Nov 3, 2013 at 19:46
  • I kept doing "next" on gdb and it went to 0x80cdd18d without passing through 0x80484b6 Commented Nov 3, 2013 at 19:48
  • 2
    The "Cannot access memory" message doesn't mean your program's %eip went there. It doesn't even mean your program tried to access the address! It means gdb wanted to access that address in the inferior process's address space for some reason and couldn't. It's common to see that kind of warning during a gdb session of a program that is misbehaving. And yours is certainly misbehaving - it has a buffer overflow! Try using stepi instead of next to single-step instructions after the strcpy, and you might get a clearer idea what's going on. Commented Nov 3, 2013 at 19:50
  • You might find it useful to display/i $pc (and maybe some other interesting registers) and stepi through the return sequence. Commented Nov 3, 2013 at 20:12
  • Thanks to your comments, I posted an answer, the problem was that the value at $ebp was changed during the overwriting Commented Nov 3, 2013 at 20:13

2 Answers 2

Reset to default
1

Ok, so thanks @Wumpus Q. Wumbley, this helped me understand things.

Doing next jumps leave and ret altogether. ret is the instruction that changes eip, it must be equivalent of pop eip. But leave modifies the stack pointers esp and ebp before (especially because when I am overwriting ebp+4 I change the value contained at ebp)

TLDR : Not overwriting the value at ebp makes it work successfully.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

next doesn't jump the leave and ret (in the sense of not executing them). It just doesn't return to the gdb prompt after each instruction. Its purpose is to continue until the current source line is done. Sometimes that takes a few instructions, sometimes a lot. next, step, nexti, and stepi all have their uses but stepi is the most useful one in this case since it doesn't care about source lines. When you're doing buffer overflow exploits, the state of the running process diverges sharply from what is expressed in the source-level debugging information. next gets confused.
so this explains half of the problem but it doesn't say why it didn't work in the first place leave then ret makes ebp point to the old ebp and esp point to ebp (+- some bytes) and eip to the value in ebp+4. So when overwriting the value in ebp, everything will be ok except the "old ebp" that will become wrong. But esp and eip will be good, so why doesn't it work ?
The corrupted "old %ebp" will be loaded into the real %ebp register by the leave instruction. Then your ret takes you to the address you chose in your exploit. Whatever is at that address will have problems if it requires a usable %ebp
Ok, the problem is just before 'ret'. When I do step in (to execute ret) it says "cannot access memory at address ...". So it didn't have time to pop eip, it (gdb or the processor ?) just did some sort of check to see if ebp is a valid stack pointer and it is not.
gdb likes to print some information about the current stack frame every time the program stops. When you have no valid stack frame as a result of a buffer overflow, that's likely to cause some warnings. You just have to learn to ignore them and print what you need by hand.
0

If this is for x86 (as opposed to x86-64), the usual function prologue involves pushing ebp and then assigning it the value of esp, which would leave the return address on the stack at ebp+4.

Take a look at a disassembly of your function, and see if the first instructions look like this:

pushl   %ebp
movl    %esp, %ebp

If so, this is the cause of the offset.

Improve this answer

2 Comments

yes, this is x86 and the first instructions look like what you say. So now that it is confirmed that ebp+4 should contain the RA, why doesn't it work ?
It seems as if you are controlling the value of eip successfully, and something else is going wrong. Hard to say what without more info.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.