Code:
#include <stdio.h>
int main(int argc, char *argv[]){
char buf[512];
strcpy(buf, argv[1]);
return 0;
}
Compilation:
gcc -g -z execstack buf.c -o buf -fno-stack-protector
Question:
So Basically using gdb
I set a breakpoint on line return 0;
and run the script as follow: run $(python -c 'print "A"*600')
, and then when I do x/600x $rsp
, I get my buffer start at:
0x7fffffffdcf0: 0xffffdfe8 0x00007fff 0xf7fd3298 0x00000002
0x7fffffffdd00: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffdd10: 0x41414141 0x41414141 0x41414141 0x41414141
// it goes on... until
0x7fffffffdf50: 0x41414141 0x41414141 0x00000000 0x00000000
But then when I go further down the stack, I also see:
0x7fffffffe2f0: 0x776f6c66 0x6675622f 0x41414100 0x41414141
0x7fffffffe300: 0x41414141 0x41414141 0x41414141 0x41414141
// It goes until
0x7fffffffe540: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe550: 0x48530041 0x3d4c4c45 0x6e69622f 0x7361622f
Also for buffer overflow exploit, If I use first location, my exploit doesn't work, but if I use second location it works.
So May I know why is my buffer stored in two different locations?
Your buffer isn’t stored in two places. You’re just copying the data yourself in your code. There’s the input that’s given to main
and then your buffer where you copy the input. That’s two copies of it but only one is your buffer.
Using gdb to show where argv[1]
is stored will also show this:
p argv[1]
$1 = 0x7ffffffee2ce 'A' <repeats 600 times>
The address will of course be different on different systems.
User contributions licensed under CC BY-SA 3.0