4

So I've been reading about buffer overflows and Aleph One's article on stack smashing. I think I understand everything, except for this little bit in his exploit code:

ptr = buff;   
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
   *(addr_ptr++) = addr;

buff and ptr are char arrays. addr holds a stack pointer that points to a place in memory at the start of the stack. bsize is the size of buff. What is it doing? Why is he saying i+=4? What is he setting addr_ptr equal to, and why? When I try to print it out I just get NULL.

Here's the link to the article: http://insecure.org/stf/smashstack.html

Thanks.

Improve this question
3
  • He shouldn't be using a magic number like that. Does telling you it should be i += sizeof(*addr_ptr) (i.e. i += sizeof(long)) give you a hint? Commented Oct 3, 2012 at 23:57
  • Thanks, that does help. So 4 could vary based on the system, and he's basically moving addr_ptr to the end of the array while ensuring there's enough space for it? Commented Oct 4, 2012 at 3:14
  • 1
    It could very by system in theory, it's almost certainly either 4 or 8 on any system we'll use, which is why he hardcoded 4. (I think one should avoid doing that when the alternative is so simple, like it is here.) Commented Oct 4, 2012 at 3:18

1 Answer 1

Reset to default
3

He is moving by 4 bytes each time to progress one word (8 bits * 4 bytes = 32 bit word). Note that he comments about his guess and test method in the paragraph following your code example.

He is shooting in the dark, attempting to overflow the buffer. addr_ptr is being set to the address of ptr, then is being pushed along the buffer within the for loop.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Oh, okay. So if it's being pushed along the buffer, does that mean that the address is being copied multiple times into the buffer? Or is it only copied once and then moved to the end of buffer, so that the address is only in buff once? Basically is he trying to put the address at the end of the buffer? But thanks for your answer, I think things have become clearer for me now.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.