Not only did you not control eip, you have moved far away to another portion of
memory. If you take a look at meet.c, you will notice that after the strcpy() function in
the greeting function, there is a printf() call. That printf, in turn, calls vfprintf() in the
libc library. The vfprintf() function then calls strlen. But what could have gone wrong?
You have several nested functions and thereby several stack frames, each pushed on the
stack. As you overflowed, you must have corrupted the arguments passed into the function.
Recall from the previous section that the call and prolog of a function leave the
stack looking like the following illustration:
Gray Hat Hacking: The Ethical Hacker??™s Handbook
152
If you write past eip, you will overwrite the function arguments, starting with temp1.
Since the printf() function uses temp1, you will have problems. To check out this theory,
let??™s check back with gdb:
(gdb)
(gdb) list
1 //meet.c
2 #include
3 greeting(char* temp1,char* temp2){
4 char name[400];
5 strcpy(name, temp2);
6 printf("Hello %s %s\n", temp1, name);
7 }
8 main(int argc, char * argv[]){
9 greeting(argv[1],argv[2]);
10 printf("Bye %s %s\n", argv[1], argv[2]);
(gdb) b 6
Breakpoint 1 at 0x8048377: file meet.
Pages:
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319