Reputation: 10324
Exploiting a buffer overflow in a jmp_buf struct
I need help to exploit a buffer overflow on a jmp_buf structure.
I have the following values on the stack (seen by gdb):
0xbffffc40: 0xb7fd8ff4 0x080485a0 0x080483f0 0xbffffcf8
0xbffffc50: 0xebf06081 0x1d0a15ee
The second one is the next IP (after the setjmp) but if i modify it i do not change the behavior of my program.
I noticed that I can change the flow (and obtain a Segmentation) only if i modify the value of the last one.
But, I can not understand the meaning of the last word and how to change it to obtain the desired behavior.
Upvotes: 1
Views: 1735
Answers (1)
Reputation: 183
I am trying to do the same at the moment - i do not know what os you are using, but i found the following docu (@ http://freebsd.active-venture.com/FreeBSD-srctree/newsrc/dev/vinum/vinummemory.c.html) for freebsd which simpy discribes the jmpbuf struct:
struct JmpBuf {
int jb_ebx; //in your case --> 0xb7fd8ff4
int jb_esp; //in your case --> 0x080485a0
int jb_ebp; //in your case --> 0x080483f0
int jb_esi; //in your case --> 0xbffffcf8
int jb_edi; //in your case --> 0xebf06081
int jb_eip; //in your case --> 0x1d0a15ee
};
Therefore 0x080485a0 would be the stored ESP and not EIP which would explain the segfault in your case...
Upvotes: 2
Related Questions
- Should free() been called after longjmp()?
- Save & Copy jmp_buf C++
- Using setjmp() and longjmp() to prevent segmentation fault in a program
- Implementing setjmp and longjmp in C without built in functions or assembly (getting incorrect return values)
- What is weird about wrapping setjmp and longjmp?
- setjmp/longjmp in 64 bit
- Segfaulting when using setjmp longjmp
- stating jmp_buf as pointer
- In C: sending func pointers, calling the func with it, playing with EIP, jmp_buf and longjmp
- SetJmp/LongJmp: Why is this throwing a segfault?