CODEWITHSUNDEEP
cfunctiongdbstack
Ajai
Ajai

Reputation: 3490

Regarding state of stack

I have a program for which I wanted to understand the state the stack will be during its execution. My sample program is simple enough,

#include <stdio.h>
 int main(){
   setuid(0);
   system("/bin/bash");
   return 1;
 }

Now when I debug this program with gdb I get the address of setuid() function but when I look at the stack I am not able to figure its address.

My stack's state after starting to execute main(),

Ajai@ubuntu:/tmp$ gdb -q mal
Reading symbols from /tmp/mal...done.
(gdb) b 2
Breakpoint 1 at 0x80483fd: file mal.c, line 2.
(gdb) r
Starting program: /tmp/mal 

Breakpoint 1, main () at mal.c:4
4        setuid(0);
(gdb) x/32xw $esp
0xbffff3a0:    0x0015ed35    0x0011ea50    0x0804842b    0x0028bff4
0xbffff3b0:    0x08048420    0x00000000    0xbffff438    0x00145e37
0xbffff3c0:    0x00000001    0xbffff464    0xbffff46c    0x0012e414
0xbffff3d0:    0xffffffff    0x0012cff4    0x08048243    0x00000001
0xbffff3e0:    0xbffff420    0x0011da31    0x0012dad0    0xb7fffb48
0xbffff3f0:    0x00000001    0x0028bff4    0x00000000    0x00000000
0xbffff400:    0xbffff438    0xb68cac87    0x61d0d5f8    0x00000000
0xbffff410:    0x00000000    0x00000000    0x00000001    0x08048340
(gdb) p setuid
$1 = {<text variable, no debug info>} 0x1c8ee0 <setuid>

Am I looking at the stack wrong ?

I also wanted to know how will the address of setuid() function call and its parameter and system() function call and its parameter will be stored in the stack when main() function starts to execute.

I am sorry if this kind of question has already been asked but I could not find one.

Upvotes: 0

Views: 186

Answers (2)

Employed Russian
Employed Russian

Reputation: 213385

Your question is exceedingly unclear, likely because you do not understand how stack and calls work and interact.

Somehow you are expecting to find the address of setuid on the stack before that function has been called. But that address wouldn't be there at all (neither before the call, nor while the call is in progress, nor after it has finished).

If you set a breakpoint on setuid itself, run to that breakpoint, and examine the stack. Then, you'll see the address in main (not of main itself, but of the instruction in main that follows the CALL instruction that got you into setuid in the first place).

I assume this is how stack looks like when execution is about to go to setuid() function (assuming I have a breakpoint at setuid function call)

1.call to setuid()

2.return address to be reached after setuid() function call

3.parameters to setuid() function.

As I said, your assumptions are incorrect: there is no "call to setuid" on the stack (but 2. and 3. are correct).

Upvotes: 4

gnometorule
gnometorule

Reputation: 2139

As ER points out, single step through the assembly instructions. The address of the function called is usually put into the EAX register prior to function call. Check that, or whatever else your compiler puts it in.

Upvotes: 1

Related Questions