I play with one example. This example is as follows:
void return_input (void){ char array[30]; gets (array); printf("%s\n", array); } main() { return_input(); return 0; }
All this code is in a file called overflow.c. We have a vulnerable function called return_input , in particular a 30-byte char array. I compiled it and opened a vulnerable function in gdb and got the following output:
(gdb) disas return_input 0x08048464 <+0>: push %ebp 0x08048465 <+1>: mov %esp,%ebp 0x08048467 <+3>: sub $0x48,%esp 0x0804846a <+6>: mov %gs:0x14,%eax 0x08048470 <+12>: mov %eax,-0xc(%ebp) 0x08048473 <+15>: xor %eax,%eax 0x08048475 <+17>: lea -0x2a(%ebp),%eax 0x08048478 <+20>: mov %eax,(%esp) 0x0804847b <+23>: call 0x8048360 < gets@plt > 0x08048480 <+28>: lea -0x2a(%ebp),%eax 0x08048483 <+31>: mov %eax,(%esp) 0x08048486 <+34>: call 0x8048380 < puts@plt > 0x0804848b <+39>: mov -0xc(%ebp),%eax 0x0804848e <+42>: xor %gs:0x14,%eax 0x08048495 <+49>: je 0x804849c <return_input+56> 0x08048497 <+51>: call 0x8048370 < __stack_chk_fail@plt > 0x0804849c <+56>: leave 0x0804849d <+57>: ret End of assembler dump.
As you can see from the prologue of the function, we reserved hex48 (dec 72) bytes on the stack for local variables. At first I tried to find the address where our vulnerable array is launched on the stack. I think -0x2a (% ebp), right? Hex2a - 42 decimal places. As far as I understand, this means that we can safely write 42 bytes before we start overwriting EBPs stored on the stack. But when I run this example, itβs enough to get only 37 bytes to get a segmentation error:
rustam@rustam-laptop :~/temp/ELF_reader$ ./overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped)
How is 37 bytes enough for a buffer overflow? If our local char array is -42 bytes from stored EBP
source share