Why is this the offset of the return pointer? "smashing the stack"

2

I'm trying to do a buffer overflow like it was described here, and I couldn't find the offset of the return pointer until I brute forced it, and I found it to be 21. Following this stackoverflow post, I got the following memory dump:

(gdb) r 21
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/sergiuser/test 21

Breakpoint 1, function (a=1, b=2, c=21) at test.c:8
8      ret = buffer1 + c;
(gdb) print &buffer1
$3 = (char (*)[5]) 0x7fffffffde63
(gdb) x/32xw 0x7fffffffde63
0x7fffffffde63: 0x00000000  0xe0585400  0x007ffff7  0xffdea000
0x7fffffffde73: 0x007fffff  0x5551bb00  0x00555555  0xffdf9800
0x7fffffffde83: 0x007fffff  0x55505000  0x00000255  0xffdf9000
0x7fffffffde93: 0x007fffff  0x00001500  0x00000000  0x5551e000
0x7fffffffdea3: 0x00555555  0xdef15200  0x007ffff7  0xffdf9800
0x7fffffffdeb3: 0x007fffff  0xdeef7300  0x000002f7  0x55517b00
0x7fffffffdec3: 0x00555555  0x00000000  0x00000800  0x00000000
0x7fffffffded3: 0x00000000  0xf27a4500  0x3360fb15  0x55505067
(gdb) bt
#0  function (a=1, b=2, c=21) at test.c:8
#1  0x00005555555551bb in main (argc=2, argv=0x7fffffffdf98) at test.c:17
(gdb) c
Continuing.
0
[Inferior 1 (process 344541) exited with code 02]
(gdb)

I don't understand why this offset worked because I can't find the return address in memory.

Here's the modified code from my program, the only difference being that I use an input argument as the offset:

#include "stdio.h"
#include <stdlib.h>

void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
   char *ret;

   ret = buffer1 + c;
   (*ret) += 5;
}

void main(int argc, char** argv) {
  int x = 0;
  int c = atoi(argv[1]);

  function(1, 2, c);
  x += 1000 ;
  printf("%d\n", x);
}
c
gdb
disassembly
buffer-overflow
asked on Stack Overflow Feb 3, 2021 by sergiuser • edited Feb 3, 2021 by sergiuser

1 Answer

2

In the middle of this line we find the address 0x00005555555551bb you are looking for.

0x7fffffffde73: 0x007fffff  0x5551bb00  0x00555555  0xffdf9800

And it's exactly 21 bytes after 0x7fffffffde63.

You probably need to swap some bytes in order to respect endianness and stack-alignment.

answered on Stack Overflow Feb 3, 2021 by prog-fh

User contributions licensed under CC BY-SA 3.0