On Thu, Mar 10, 2005 at 01:28:17PM +0100, Uwe Hermann wrote:
> > You can check if it's a stack-based buffer overflow by doing this in
> > gdb and seeing if the value of EIP is 0x41414141.
> >
> > $ export HOME=`blah`
> > $ gdb program
> > (gdb) r
> > [crashes horribly]
> > (gdb) bt
> > (gdb) i r
> > (gdb) q
> >
> > You might have to try lots of different sizes than 1000 to reach a state
> > where you control all of EIP.
>
> Please elaborate. Why exactly 0x41414141 and how or why do I control
> all of EIP? Do you know any good introductory papers/URLs about this?
This is often used as an example, what Ulf is saying is that if you
set HOME=aaaaaaaaaa .. aaaaa then you're looking to see that the
register EIP has been overwritten with the value 0x41. Where 0x41
is the hex code for the ASCII value 'a'.
Any introduction to buffer overflows such as 'Smashing the Stack
for Fun And Profit' covers this.
Specifically for environmental overflows this might prove useful:
http://shellcode.org/Exploit/generic.html
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
|
