Are integers always placed before character array in memory by the gcc compiler?

Question

Are integers always placed before character array in memory by the gcc compiler?

I am trying a simple buffer overflow in C from HTAOE book . This is the code :

#include<stdio.h>
#include<string.h>

int main(int argc, char *argv[]){
        int val0=10;
        char buffer_two[8], buffer_one[8];
        int val1=5;

        strcpy(buffer_one, "one");
        strcpy(buffer_two, "two");
        printf("[BEFORE] buffer_two is at @%p contains \'%s\'\n", buffer_two, buffer_two);
        printf("[BEFORE] buffer_one is at @%p contains \'%s\'\n", buffer_one, buffer_one);
        printf("[BEFORE] val1 is @%p and contains \'%d\' [0x%08x]\n", &val1, val1, val1);
        printf("[BEFORE] val0 is @%p and contains \'%d\' [0x%08x]\n", &val0, val0, val0);

        printf("Copying the argv[1], which is %ld bytes, into buffer_two..\n", strlen(argv[1]));
        strcpy(buffer_two, argv[1]);

        printf("[AFTER] buffer_two is at @%p contains \'%s\'\n", buffer_two, buffer_two);
        printf("[AFTER] val1 is @%p and contains \'%d\' [0x%08x]\n", &val1, val1, val1);
        printf("[AFTER] val0 is @%p and contains \'%d\' [0x%08x]\n", &val0, val0, val0);
        return 0;

}

after compiling it normally(no additional flags), I run it (buffer oveflow intended) using

./overflow_example "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Where "AA....." is the 1st argument and number of A's is more than 16. As expected the overflow happened in buffer_one. But I was expecting that the overflow would happen in the integers val0 or val1 also. Failure. I noticed that the integers are placed before the character array in stack, like why ? So no overflow happened there. output:

[BEFORE] buffer_two is at @0x7fffa43fa1a8 contains 'two'
[BEFORE] buffer_one is at @0x7fffa43fa1b0 contains 'one'
[BEFORE] val1 is @0x7fffa43fa1a4 and contains '5' [0x00000005]
[BEFORE] val0 is @0x7fffa43fa1a0 and contains '10' [0x0000000a]
Copying the argv[1], which is 45 bytes, into buffer_two..
[AFTER] buffer_two is at @0x7fffa43fa1a8 contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] buffer_one is at @0x7fffa43fa1b0 contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] val1 is @0x7fffa43fa1a4 and contains '5' [0x00000005]
[AFTER] val0 is @0x7fffa43fa1a0 and contains '10' [0x0000000a]
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)

My question is how can I direct the compiler to not place the integer before the character arrays, instead place them after the character arrays in the stack so that there can be an overflow. Am I expecting the impossible ? Is it possible to do so ? Or is it trivial, like provide a flag with gcc command?

Please help.

:)

PS : running of Ubuntu X86-64 machine

c

arrays

gcc

memory

buffer-overflow

asked on Stack Overflow Jan 5, 2020 by

sweetpoision

1 Answer

You're asking to help you invoke undefined behavior in a sensible way, which will typically get you downvoted because Stack Overflow is for writing good software, not deliberately exploitable software.

That said, you could try putting the related variables in a structure:

int main(int argc, char *argv[]){
    struct {
        int val0;
        char buffer_two[8];
        char buffer_one[8];
        int val1;
    } group = {
        .val0 = 10,
        .val1 = 5,
    };


    strcpy(group.buffer_one, "one");
    strcpy(group.buffer_two, "two");

    // ...
}

answered on Stack Overflow Jan 5, 2020 by

Jonathon Reinhart

User contributions licensed under CC BY-SA 3.0