We are mostly
interested in buffers that hold strings. Buffers themselves have no mechanism to keep
you from putting too much data in the reserved space. In fact, if you get sloppy as a programmer,
you can quickly outgrow the allocated space. For example, the following
declares a string in memory of 10 bytes:
char str1[10];
So what happens if you execute the following?
strcpy (str1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
Let??™s find out.
//overflow.c
main(){
char str1[10]; //declare a 10 byte string
//next, copy 35 bytes of "A" to str1
strcpy (str1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
}
Chapter 7: Basic Linux Exploits
149
PART III
Then compile and execute the following:
$ //notice we start out at user privileges "$"
$gcc ??“ggdb ??“o overflow overflow.c
./overflow
09963: Segmentation fault
Why did you get a segmentation fault? Let??™s see by firing up gdb:
$gdb ??“q overflow
(gdb) run
Starting program: /book/overflow
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg eip
eip 0x41414141 0x41414141
(gdb) q
A debugging session is active.
Do you still want to close the debugger?(y or n) y
$
As you can see, when you ran the program in gdb, it crashed when trying to execute
the instruction at 0x41414141, which happens to be hex for AAAA (A in hex is 0x41).
Pages:
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316