Graphics Programs Reference
In-Depth Information
11 if(strcmp(password_buffer, "brillig") == 0)
12 auth_flag = 1;
13 if(strcmp(password_buffer, "outgrabe") == 0)
14 auth_flag = 1;
15
16 return auth_flag;
17 }
18
19 int main(int argc, char *argv[]) {
20 if(argc < 2) {
(gdb) break 9
Breakpoint 1 at 0x8048421: file auth_overflow.c, line 9.
(gdb) break 16
Breakpoint 2 at 0x804846f: file auth_overflow.c, line 16.
( gdb)
The GDB debugger is started with the -q option to suppress the welcome
banner, and breakpoints are set on lines 9 and 16. When the program is run,
execution will pause at these breakpoints and give us a chance to examine
memory.
(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/reader/booksrc/auth_overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 1, check_authentication (password=0xbffff9af 'A' <repeats 30 times>) at
auth_overflow.c:9
9 strcpy(password_buffer, password);
(gdb) x/s password_buffer
0xbffff7a0: ")????o??????)\205\004\b?o??p???????"
(gdb) x/x &auth_flag
0xbffff7bc: 0x00000000
(gdb) print 0xbffff7bc - 0xbffff7a0
$1 = 28
(gdb) x/16xw password_buffer
0xbffff7a0: 0xb7f9f729 0xb7fd6ff4 0xbffff7d8 0x08048529
0xbffff7b0: 0xb7fd6ff4 0xbffff870 0xbffff7d8 0x00000000
0xbffff7c0: 0xb7ff47b0 0x08048510 0xbffff7d8 0x080484bb
0xbffff7d0: 0xbffff9af 0x08048510 0xbffff838 0xb7eafebc
( gdb)
The first breakpoint is before the strcpy() happens. By examining
the password_buffer pointer, the debugger shows it is filled with random
uninitialized data and is located at 0xbffff7a0 in memory. By examining the
address of the auth_flag variable, we can see both its location at 0xbffff7bc
and its value of 0. The print command can be used to do arithmetic and shows
that auth_flag is 28 bytes past the start of password_buffer . This relationship
can also be seen in a block of memory starting at password_buffer . The loca-
tion of auth_flag is shown in bold.
Search WWH ::




Custom Search