localvars ---------- void localvars() { volatile int n; char buf[8]; volatile int x; n = 0x0102; x = 0xdeadbeef; strcpy(buf,"Carnegi"); strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } -------------------------------------------------------- .section .rodata .LC0: .string "12345678" .LC1: .string "Carnegiem;" .text .align 4 .globl localvars .type localvars,@function localvars: pushl %ebp movl %esp,%ebp subl $24,%esp movl $16909060,-4(%ebp) movl $84281096,-16(%ebp) addl $-8,%esp pushl $.LC0 leal -12(%ebp),%eax pushl %eax call strcpy addl $16,%esp addl $-8,%esp pushl $.LC1 leal -12(%ebp),%eax pushl %eax call strcpy addl $16,%esp movb $108,-4(%ebp) movl $-4,%eax leal -12(%ebp),%edx movb $-88,(%eax,%edx) .L2: movl %ebp,%esp popl %ebp ret -------------------------------------------------------- bufferoverflow.c ----------------- int bufoverflow(char* string, int n) { char buf[8]; strcpy(buf, string); return n; } int main() { char buf[512]; scanf("%s", buf); bufoverflow(buf, -3); } exploit.c ---------- int exploit(int n) { return (n>=0 ? n : -n) << 2; } unix> gcc -s exploit.c unix> gcc -c exploit.s unix> objdump -d exploit.o 00000000 : 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 8b 55 08 mov 0x8(%ebp),%edx 6: 85 d2 test %edx,%edx 8: 7d 02 jge c a: f7 da neg %edx c: c1 e2 02 shl $0x2,%edx f: 89 d0 mov %edx,%eax 11: eb 00 jmp 13 13: 89 ec mov %ebp,%esp 15: 5d pop %ebp 16: c3 ret unix> cat exploit.txt 8b 55 08 85 d2 7d 02 f7 da c1 e2 02 unix> sendstring < exploit.txt > exploit.raw unix> od -t x1 exploit.raw 0000000 8b 55 08 85 d2 7d 02 f7 da c1 e2 02 0a 0000015