Can someone tell me why I can't produce a buffer overflow in this: (and execute the hidden function)? The true output is supposted to be -> Hidden
Code:
(gdb) list 1,100
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4
5
6 void func1(char *str1);
7 void hiddenFunc();
8
9
10 void hiddenFunc()
11 {
12
13 printf("Hidden");
14 }
15
16
17 void func1(char *str1)
18 {
19 char str2[8];
20
21 strcpy(str2,str1);
22
23
24 }
25
26
27 int main(int argc, char *argv[])
28 {
29 int a,b,c;
30
31 printf("Test text");
32
33
34 func1(argv[1]);
35
36 return 0;
37
38 }
39
40
41
42
43
44
(gdb) disass main
Dump of assembler code for function main:
0x080483e2 <main+0>: lea 0x4(%esp),%ecx
0x080483e6 <main+4>: and $0xfffffff0,%esp
0x080483e9 <main+7>: pushl 0xfffffffc(%ecx)
0x080483ec <main+10>: push %ebp
0x080483ed <main+11>: mov %esp,%ebp
0x080483ef <main+13>: push %ebx
0x080483f0 <main+14>: push %ecx
0x080483f1 <main+15>: sub $0x20,%esp
0x080483f4 <main+18>: mov %ecx,%ebx
0x080483f6 <main+20>: movl $0x8048507,(%esp)
0x080483fd <main+27>: call 0x80482c8 <printf@plt>
0x08048402 <main+32>: mov 0x4(%ebx),%eax
0x08048405 <main+35>: add $0x4,%eax
0x08048408 <main+38>: mov (%eax),%eax
0x0804840a <main+40>: mov %eax,(%esp)
0x0804840d <main+43>: call 0x80483c8 <func1>
0x08048412 <main+48>: mov $0x0,%eax
0x08048417 <main+53>: add $0x20,%esp
0x0804841a <main+56>: pop %ecx
0x0804841b <main+57>: pop %ebx
0x0804841c <main+58>: pop %ebp
0x0804841d <main+59>: lea 0xfffffffc(%ecx),%esp
0x08048420 <main+62>: ret
End of assembler dump.
(gdb) disass hiddenFunc
Dump of assembler code for function hiddenFunc:
0x080483b4 <hiddenFunc+0>: push %ebp
0x080483b5 <hiddenFunc+1>: mov %esp,%ebp
0x080483b7 <hiddenFunc+3>: sub $0x8,%esp
0x080483ba <hiddenFunc+6>: movl $0x8048500,(%esp)
0x080483c1 <hiddenFunc+13>: call 0x80482c8 <printf@plt>
0x080483c6 <hiddenFunc+18>: leave
0x080483c7 <hiddenFunc+19>: ret
End of assembler dump.
(gdb) x/xw &str2
0xbfd15f00: 0xbfd10041
(gdb) x/64x $esp
0xbfe5d400: 0xbfe5d410 0xbfe5dbf7 0x08048507 0xbfe5d424
0xbfe5d410: 0xbfe50041 0xbfe5d460 0xbfe5d448 0x08048412
0xbfe5d420: 0xbfe5dbf7 0x0024d210 0xbfe5d458 0x08048459
0xbfe5d430: 0x0013ba55 0xbfe5d4f0 0xbfe5d458 0x0024eff4
0xbfe5d440: 0xbfe5d460 0x0024eff4 0xbfe5d4b8 0x00125dec
0xbfe5d450: 0x008b9ca0 0x08048440 0xbfe5d4b8 0x00125dec
0xbfe5d460: 0x00000002 0xbfe5d4e4 0xbfe5d4f0 0x008ba810
0xbfe5d470: 0x00000000 0x00000001 0x00000001 0x00000000
0xbfe5d480: 0x0024eff4 0x008b9ca0 0x00000000 0xbfe5d4b8
0xbfe5d490: 0x3b4a8b6b 0x84bd02ba 0x00000000 0x00000000
0xbfe5d4a0: 0x00000000 0x008b2450 0x00125d1d 0x008b9fc0
0xbfe5d4b0: 0x00000002 0x080482e0 0x00000000 0x08048301
0xbfe5d4c0: 0x080483e2 0x00000002 0xbfe5d4e4 0x08048440
0xbfe5d4d0: 0x08048430 0x008ad5c0 0xbfe5d4dc 0x008b5f8b
0xbfe5d4e0: 0x00000002 0xbfe5dbde 0xbfe5dbf7 0x00000000
0xbfe5d4f0: 0xbfe5dbf9 0xbfe5dc18 0xbfe5dc28 0xbfe5dc33
./a.out `perl -e 'print "\xb4\x83\x04\x08"x20'`
Segmentation fault