0

I'm trying to smash the stack and am using the below C code: 

#include<stdio.h> 

get_inp()
{
char buf[8];
gets(buf);
puts(buf);
}

main(){
get_inp();
return 0;
}

I get the Segmentation fault only if I enter a minimum of 16 characters as input. Running this on an IA-32 architecture. Since the EBP occupies 4 bytes after the allocated buffer shouldn't I be getting the seg fault after inputting 12 characters. Would appreciate some clarity on this.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
NoahGrg
  • 1
  • Which compiler, version, and compiler switches are you using to compile the code? – Hadi Brais Apr 09 '18 at 22:47
  • 1
    The `stack-overflow` tag is irrelevant to the question. The `cpu-architecture` tag is hardly relevant too. Although you can add the `x86` tag since you're targeting x86. – Hadi Brais Apr 09 '18 at 23:01
  • I'm using the gcc compiler (gcc (Ubuntu 7.2.0-8ubuntu3.2)7.2.0 ) with the -fno-stack-protector switch – NoahGrg Apr 09 '18 at 23:30
  • So you're compiling the code like this `gcc -fno-stack-protector` without passing **any** other switches? – Hadi Brais Apr 09 '18 at 23:38
  • gcc -ggdb -fno-stack-protector -o demo demo.c – NoahGrg Apr 09 '18 at 23:44
  • 2
    Did you look at the asm to determine exactly how it lays out the stack, or are you just making assumptions about how gcc allocates stack space? It can vary depending on whether you enable optimization or not. The question doesn't show the asm for `get_inp`. And did you really install 32-bit-only Ubuntu? On a normal install, `gcc` without `-m32` will make 64-bit binaries. – Peter Cordes Apr 09 '18 at 23:50
  • IA-32 means 32-bit x86. As Peter said, the only to emit 32-bit code without the `-m32` switch is by compiling on a 32-bit platform. Maybe you're confusing IA-32 and x86-64? – Hadi Brais Apr 10 '18 at 00:05
  • I'm on a linux VM which shows i686 .. – NoahGrg Apr 10 '18 at 00:15
  • Possible duplicate of [Arrays memory allocation on stack](https://stackoverflow.com/questions/49707610/arrays-memory-allocation-on-stack): you have to look at the asm to see how much space the compiler left unused. – Peter Cordes Apr 10 '18 at 00:22
  • It looks to me from the assembly code that you need to enter at least 17 characters, not 16, to get segfault. Or are you sure it's 16? – Hadi Brais Apr 10 '18 at 00:43

1 Answers1

0

Why should over writing the saved ebp generate a segmentation fault? It is quite possible it is never used again. A likely cause of your sigsegv is over-writing the return address. Does the fault address look like the ascii values you put in (try input of UUU..UU; do you fault at 0x55555555 ?)

mevets
  • 10,070
  • 1
  • 21
  • 33