Why does eip doesn't change in this buffer overflow attempt?

Question

Im trying to play with buffer overflows. I don't understand what's going on here with the value of eip.

Here is the C code :

void copy(char *arg) {
  char msg[256];
  strcpy(msg,arg);
}

The assembly for it :

0x804847d :    call   0x8048368 
0x8048482 :    leave  
0x8048483 :    ret

I input as an argument a string like "_\xAA\xBB\xCC\xDD" with a size calculated so that the last 4 bytes will be 4 bytes after $ebp (in order to overwrite the real return address). And it seems to work.

in gdb:

(break before strcpy)
x/2wx $ebp
0xbffffb38: 0xbffffb58  0x080484d2
n
(just after strcpy execution)
x/2wx $ebp
0xbffffb38: 0x80cdd189  0x080484b6
...
n
...
x/2wx $ebp
0xbffffb38: 0x80cdd189  0x080484b6

So the return address was 0x080484d2 and after my overflow it is 0x080484b6, which is what I want. but the program exits : "Cannot access memory at address 0x80cdd18d".

I don't know why $eip was not set to my address, and because of the address of the code in 0x08048... I am pretty confident that $ebp+4 was the place containing the return address

I tried again with a string 4 bytes smaller and this time it overwrote $ebp and not $ebp+4 and after the return the $eip was set to the value contained in $ebp+4

Any explanations ?

Thomas · Accepted Answer

Ok, so thanks @Wumpus Q. Wumbley, this helped me understand things.

Doing next jumps leave and ret altogether. ret is the instruction that changes eip, it must be equivalent of pop eip. But leave modifies the stack pointers esp and ebp before (especially because when I am overwriting ebp+4 I change the value contained at ebp)

TLDR : Not overwriting the value at ebp makes it work successfully.

Why does eip doesn't change in this buffer overflow attempt?

Answers (2)

Related Questions

Why does eip doesn&#39;t change in this buffer overflow attempt?

Answers (2)

Related Questions

Why does eip doesn't change in this buffer overflow attempt?