Graphics Programs Reference
In-Depth Information
As expected, the overflow cannot disturb the
auth_flag
variable, since it's
located before the buffer. But another execution control point does exist,
even though you can't see it in the C code. It's conveniently located after all
the stack variables, so it can easily be overwritten. This memory is integral to the
operation of all programs, so it exists in all programs, and when it's over-
written, it usually results in a program crash.
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08004141 in ?? ()
(gdb)
Recall from the previous chapter that the stack is one of five memory
segments used by programs. The stack is a FILO data structure used to
maintain execution flow and context for local variables during function calls.
When a function is called, a structure called a
stack frame
is pushed onto
the stack, and the EIP register jumps to the
first instruction of the function. Each stack
frame contains the local variables for that
function and a return address so EIP can be
restored. When the function is done, the stack
frame is popped off the stack and the return
address is used to restore EIP. All of this is built
in to the architecture and is usually handled by
the compiler, not the programmer.
When the
check_authentication()
function
is called, a new stack frame is pushed onto the
stack above
main()
's stack frame. In this frame
are the local variables, a return address, and the
function's arguments.
return_value
variable
password_buffer
variable
Saved frame pointer (SFP)
Return address (
ret
)
*password
(func argument)
main()
's stack frame
We can see all these elements in the debugger.
reader@hacking:~/booksrc $ gcc -g auth_overflow2.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) list 1
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4
5 int check_authentication(char *password) {
6 char password_buffer[16];
7 int auth_flag = 0;
8
9 strcpy(password_buffer, password);
10
(gdb)
11 if(strcmp(password_buffer, "brillig") == 0)
