tags:

views:

308

answers:

2
+3  Q: 

how to know location of return address on stack c/c++

i have been reading about a function that can overwrite its return address.

void foo(const char* input)
{
    char buf[10];

    //What? No extra arguments supplied to printf?
    //It's a cheap trick to view the stack 8-)
    //We'll see this trick again when we look at format strings.
    printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n"); //%p ie expect pointers

    //Pass the user input straight to secure code public enemy #1.
    strcpy(buf, input);
    printf("%s\n", buf);

    printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}

It was sugggested that this is how the stack would look like

Address of foo = 00401000

My stack looks like:
00000000
00000000
7FFDF000
0012FF80
0040108A <-- We want to overwrite the return address for foo.
00410EDE

Question:
-. Why did the author arbitrarily choose the second last value as the return address of foo()?

-. Are values added to the stack from the bottom or from the top?

  • apart from the function return address, what are the other values i apparently see on the stack? ie why isn't it filled with zeros

Thanks.

+1  A: 

The one above it is the previous EBP (0012FF80). The value above the prev-EBP is always the return address.

(This obviously assumes a non-FPO binary and 32bit Windows)1.

If you recall, the prologue looks like:

push ebp      ; back up the previous ebp on the stack
mov ebp, esp  ; set up the new frame pointer

and when a function is called, e.g.

call 0x00401000

The current EIP is pushed on the stack (used as the return address), so the stack after the prologue looks like:

[ebp+0xc]  ; contains parameter 1, etc
[ebp+0x8]  ; contains parameter 0
[ebp+0x4]  ; contains return address
[ebp]      ; contains prev-EBP

So for each %p, printf uses the next 4 bytes starting from [ebp+0xc] (the first %p parameter). Eventually you hit the previous EBP value stored on the stack, which is (0012FF80) and then the next one is the Return Address.

Note these addresses must 'make sense', which they clearly do here (though it may not be 'clear' for all).

Re Q2) The stack grows down. So when you push eax, 4 is subtracted from esp, then the value of eax is moved to [esp], equivalently in code:

push eax
;  <=>
sub esp, 4
mov [esp], eax
  1. The book is Writing Secure Code, yes?
Alex  2010-04-19 09:48:42
yes. Second edition
Dr Deo  2010-04-19 10:23:41
A fine choice. [padding]
Alex  2010-04-19 10:24:43
A: 

printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n" , what ,,,,,)

"My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n"

that is an string you must say to the string what %p is

gcc  2010-04-19 10:01:46
No; that format string is there to make printf extract from the stack (without anybody putting there anything) 6 pointers and display them.
Matteo Italia  2010-04-19 10:06:13

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS