Reputation: 21
Why do some memory addresses in GDB appear shorter than others?
In one of my classes for school I was given this code, and asked to give it text input in order to perform a buffer overflow exploit on it to make it print "You Won!" when I run it. Here is the code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
void win() {
printf( "You Won!");
}
void lose() {
printf( "You lost!");
}
int check(char* name) {
char buffer[16];
strcpy( buffer, name );
printf( "Your name is: %s \n", buffer);
printf( "The buffer address is [%p].\n", &buffer );
// Call the random function
srand(time(NULL));
return rand();
}
int main(int argc, char **argv) {
int randnum;
randnum = check(argv[1]);
if(randnum < 5) {
win();
} else {
lose();
}
// Return everything is OK
return( 0 );
}
I compiled this using gcc -g -m32 -fno-stack-protector Vulnerable.cpp
To find the return address of strcpy I used GDB to view the stack and see the memory fill up until I got this error on the output so I knew that the return address had overwritten the return address:
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
To write the exploit to make it run win() I know I need to replace those B's in my input with the memory address associated with win(). To find this address I disassembled main and found where the call to win was and the memory address associated with it:
0x00001ed7 <+55>: call 0x1db0 <win()>
Why does the memory address 0x1db0 appear the way it does? shouldn't it be 0x00001db0 ?
Also If anyone can explain how I can write that address at the end of my input in order for it to return to the win function would be awesome.
I am a little lost on what direction I should go in for this assignment so any help would be appreciated.
Upvotes: 2
Views: 623
Reputation: 126967
Why does the memory address 0x1db0 appear the way it does? shouldn't it be 0x00001db0 ?
It's the same; exactly as with regular decimal numbers, zeroes on the left can be ignored. Addresses are usually printed zero-padded either to keep columns aligned (for example in the addresses on the left of the disassembled output), to help spot addresses visually or just out of habit.
In this case, in the resolved jump target they didn't add zero padding; it's not a big deal, either they did it on purpose (because there's nothing to keep aligned there, and to keep lines shorter) or it "just happened" that somebody wrote %x
instead of %08x
. The only way to know is to look up the line that prints that address in the gdb VCS, see who did that commit and ask him.
Upvotes: 0
Reputation: 182893
The x86 instruction set has several different variations of the CALL instruction that take different parameter sizes. CALL with a 16-bit relative address can be used to call functions whose addresses are close to that of the call site.
Upvotes: 2