0

Possible Duplicate:
how to skip a line doing a buffer overflow in c

I disassembled the main() function using gdb on RHEL5. Basically I want to change return address to some other instruction in code.

Scenario:

function(int a,int b)
{
    char buffer[16];
    //some operations here..
}

int main()
{
    int x = 12;
    int y =13;
    int p ;

    function(x,y);

    p = 100;

    printf("%d",p);
}

I want to skip p = 100 and want to jump on printf call.! In GDB i checkd address of function call.

 something --> 0x0804827b

Range of addresses for main() and function() --> 0x080.....something.

But in program when I try to get address of variable using &a, the hex addresses looks like 0xbfeca... something.

Why so? I'm not getting the reason behind this, so I'm not even able to GET the return address or to change return address. How should i proceed? What might be the reason?

Community
  • 1
  • 1
user716919
  • 1
  • 1
  • Perhaps **[this answer](http://stackoverflow.com/questions/5280789/how-to-skip-a-line-doing-a-buffer-overflow-in-c/5571224#5571224)** to *[how to skip a line doing a buffer overflow in c](http://stackoverflow.com/q/5280789/203667)* might be of some use. – jschmier Apr 20 '11 at 18:35

2 Answers2

1

a variable is placed on the stack. It is a local variable to function. Return address is also stored on the stack.

Address 0xbf...... is typical for stack and address 0x080..... is typical to code section.

To replace a return address, you should inspect (e.g. with gdb) memory near &a an to find a return address (it should be address like 0x080.....). Then you can replace it.

osgx
  • 90,338
  • 53
  • 357
  • 513
0

Under MSVC you have the _AddressOfReturnAddress (dunno the GCC equivalent*) intrinsic which you can use to tamper with the return address by adding the size of the instructions to skip. however that will fail for cdecl functions or if there is any reordering. also in you case, p = 100; would be optimized out.

TBH something like this will be very situational and will probably require writing custom assembly at the 'landing site'. for your case the best option is to replace the assignment with a unconditional jump forward to your target.

*however depending on the system your operating on (its ABI) and the calling convention used, you can use:

void* pAddressOfReturn = (&a) - sizeof(void*);

where the function is __stdcall or __cdecl.

Necrolis
  • 25,836
  • 3
  • 63
  • 101