2

I am practicing buffer overflow (on x86) and stuck on address presentation in gdb. In the C source code i have the following code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

Taken from here

The assembly code (partially)

push ebp
mov ebp, esp
and esp, 0xfffffff0  # -> after the execution esp is 0xbffffd20
sub esp, 0x60        # -> after the execution the value is 0xbffffcc0
mov DWORD PTR [esp+0x5c], 0x0

I assume that based on the last instruction - the modified value will be located first on the stack - meaning it will be in address 0xbffffcc0 + 0x5c = 0xBFFFFD1C.

But in gdb - when i print the variable using 'p &modified' I am getting totally a different address which is 0xbffffd84.

enter image description here

enter image description here

enter image description here

What is expected offset of the modified variable? if it is in the offset 0xBFFFFD1C then why print &modified gived me a different offset?

Update: I had issues with copy paste from the VM, now I am connected via Putty therefore I can copy it, but the addresses a bit changed due to the ssh thread - please note that I do check the address value after its instantiation. On top of it also "hacked" this code and override the modified value - as you can see my calculation / assumption look correct (esp + 0x5c), and I do override the modified variable and as you can see the address that p &modified presents is not even touched.

Breakpoint 1, main (argc=1, argv=0xbffffd74) at stack0/stack0.c:6
6       in stack0/stack0.c
(gdb) disass main
Dump of assembler code for function main:
0x080483f4 <main+0>:    push   ebp
0x080483f5 <main+1>:    mov    ebp,esp
0x080483f7 <main+3>:    and    esp,0xfffffff0
0x080483fa <main+6>:    sub    esp,0x60
0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:   lea    eax,[esp+0x1c]
0x08048409 <main+21>:   mov    DWORD PTR [esp],eax
0x0804840c <main+24>:   call   0x804830c <gets@plt>
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>:   test   eax,eax
0x08048417 <main+35>:   je     0x8048427 <main+51>
0x08048419 <main+37>:   mov    DWORD PTR [esp],0x8048500
0x08048420 <main+44>:   call   0x804832c <puts@plt>
0x08048425 <main+49>:   jmp    0x8048433 <main+63>
0x08048427 <main+51>:   mov    DWORD PTR [esp],0x8048529
0x0804842e <main+58>:   call   0x804832c <puts@plt>
0x08048433 <main+63>:   leave
0x08048434 <main+64>:   ret
End of assembler dump.
(gdb) break *(main+33)
Breakpoint 3 at 0x8048415: file stack0/stack0.c, line 13.
(gdb) c
Continuing.

Breakpoint 2, 0x0804840c in main (argc=1, argv=0xbffffd74)
    at stack0/stack0.c:11
11      in stack0/stack0.c
(gdb) x/wx $eip
0x804840c <main+24>:    0xfffefbe8
(gdb) p &modified
$6 = (volatile int *) 0xbffffd24
(gdb) p &buffer[0]
$7 = 0xbffffce4 "\377\377\377\377\364\357\377\267K\202\004\b\001"
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Breakpoint 3, 0x08048415 in main (argc=1, argv=0xbffffd74)
    at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) x/wx $esp
0xbffffc60:     0xbffffc7c
(gdb) x/64wx $esp
0xbffffc60:     0xbffffc7c      0x00000001      0xb7fff8f8      0xb7f0186e 
0xbffffc70:     0xb7fd7ff4      0xb7ec6165      0xbffffc88      0x61616161  
0xbffffc80:     0x61616161      0x61616161      0x61616161      0x61616161  
0xbffffc90:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffca0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffcb0:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffcc0:     0x08040061      0x00000000      0xbffffd48      0xb7eadc76
0xbffffcd0:     0x00000001      0xbffffd74      0xbffffd7c      0xb7fe1848
0xbffffce0:     0xbffffd30      0xffffffff      0xb7ffeff4      0x0804824b
0xbffffcf0:     0x00000001      0xbffffd30      0xb7ff0626      0xb7fffab0
0xbffffd00:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffd10:     0xbffffd48      0x6d276aaa      0x4766bcba      0x00000000
0xbffffd20:     0x00000000      0x00000000      0x00000001      0x08048340
0xbffffd30:     0x00000000      0xb7ff6210      0xb7eadb9b      0xb7ffeff4
0xbffffd40:     0x00000001      0x08048340      0x00000000      0x08048361
0xbffffd50:     0x080483f4      0x00000001      0xbffffd74      0x08048450
(gdb) c
Continuing.
you have changed the 'modified' variable

Program exited with code 051.

I also added some hooks and as you can clearly see, the "p &modified" is false also "p modified".

Starting program: /opt/protostar/bin/stack0
eax            0xbffffc6c       -1073742740
ecx            0x35a39915       899914005
edx            0x1      1
ebx            0xb7fd7ff4       -1208123404
esp            0xbffffc50       0xbffffc50
ebp            0xbffffcb8       0xbffffcb8
esi            0x0      0
edi            0x0      0
eip            0x804840c        0x804840c <main+24>
eflags         0x200286 [ PF SF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
0xbffffc50:     0xbffffc6c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffffc60:     0xb7fd7ff4      0xb7ec6165      0xbffffc78      0xb7eada75
0xbffffc70:     0xb7fd7ff4      0x08049620      0xbffffc88      0x080482e8
0xbffffc80:     0xb7ff1040      0x08049620      0xbffffcb8      0x08048469
0xbffffc90:     0xb7fd8304      0xb7fd7ff4      0x08048450      0xbffffcb8
0xbffffca0:     0xb7ec6365      0xb7ff1040      0x0804845b      0x00000000
0x804840c <main+24>:    call   0x804830c <gets@plt>
0x8048411 <main+29>:    mov    eax,DWORD PTR [esp+0x5c]

Breakpoint 1, 0x0804840c in main (argc=1, argv=0xbffffd64) at stack0/stack0.c:11
11      in stack0/stack0.c
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
eax            0xbffffc6c       -1073742740
ecx            0xbffffc6c       -1073742740
edx            0xb7fd9334       -1208118476
ebx            0xb7fd7ff4       -1208123404
esp            0xbffffc50       0xbffffc50
ebp            0xbffffcb8       0xbffffcb8
esi            0x0      0
edi            0x0      0
eip            0x8048411        0x8048411 <main+29>
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
0xbffffc50:     0xbffffc6c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffffc60:     0xb7fd7ff4      0xb7ec6165      0xbffffc78      0x61616161
0xbffffc70:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc80:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc90:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffca0:     0x61616161      0x61616161      0x61616161      0x61616161
0x8048411 <main+29>:    mov    eax,DWORD PTR [esp+0x5c]
0x8048415 <main+33>:    test   eax,eax

Breakpoint 2, main (argc=1633771873, argv=0x61616161) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) p &modified
$2 = (volatile int *) 0xbffffd14
(gdb) p modified
$3 = 0
(gdb)

Thank you!

Improve this question
6
  • 3
    How did you compile it, what compiler version and flags? Can you upload the binary somewhere? Also note that main is somewhat special due to the stack alignment code, maybe that confuses gdb (although it works here). Commented Sep 30, 2022 at 18:38
  • 1
    Please don't show pictures of text; cut/paste the text itself. Commented Oct 1, 2022 at 0:08
  • @Jester I don't really know, it is taken from protostar and they have dedicated ISO which contains all the compiled files Commented Oct 1, 2022 at 3:13
  • @EmployedRussian I would, if it would let me to copy paste from the VM, but with their ISO it did not allow me, connected via Putty - now I can. Thanks for the comment Commented Oct 1, 2022 at 3:25
  • 1
    Looks like bug in gdb or in the debug info. It is using ebp+0x5c instead of esp+0x5c. Commented Oct 2, 2022 at 14:14

1 Answer 1

Reset to default
1

You didn't show your complete interaction with GDB.

Most likely answer is that you have stopped before the function prolog has executed, and thus GDB prints you a bogus value of &modified.

Example:

(gdb) b *main
Breakpoint 1 at 0x11ad: file foo.c, line 6.
(gdb) run
Starting program: /tmp/a.out

Breakpoint 1, main (argc=1, argv=0xffffcc44) at foo.c:6
6       {

# Note: stopped before function prolog

(gdb) p/x &modified
$1 = 0xfffffff4                    <<<--- bogus!

(gdb) s
10        modified = 0;

(gdb) p &modified
$2 = (volatile int *) 0xffffcb7c   <<<--- now correct.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I am actually looking at the variable after mov DWORD PTR [esp+0x5c], 0x0 - added to the q.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.