[Java entry] Buffer Overflow programming experience

There are also a lot of information about buffer overflow on the Internet, but I found that the introduction is not very clear during the reading process, and each website is only a translation of a foreigner, not only does the content have defects, but the program cannot be called because the GCC version is different. after several days of thinking, I finally understood the real principle and wrote it out for sharing.

Test environment:
$ Gcc-v
Readingspecs from/usr/lib/gcc-lib/i386-redhat-linux/3.2.3/specs
Configured :.. /configure -- prefix =/usr -- mandir =/usr/share/man -- infodir =/usr/share/info -- enable-shared -- enable-threads = posix -- disable-checking -- with-system-zlib -- enable-_ cxa_atexit -- host = i386-redhat-linux
Thread model: posix
Gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-24)

$ Gdb-v
GNU gdb Red Hat Linux (6.0post-0.20031117.6rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
Welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu ".

$ Uname-
Linux candy 2.4.21-9.EL #1 Thu Jan 8 17:03:13 EST 2004 i686 athlon i386 GNU/Linux

Instance:
There are similar instances on the Internet, but they cannot be implemented correctly because the key jump code is not correctly calculated. (GCC version is incorrect)
/************
* A. c
************/
Void function (void)
{
Char buffer [5];
Int * ret;

Ret = buffer + 28;
(* Ret) + = 10;
}

Void main ()
{
Int x;

X = 0;
Function ();

X = 1;
Printf ("% d", x );

Return;
}
/* End */

People who know the C language will think that the final output result is 1, but unfortunately the output result is 0. Why? Please explain.

Instance analysis:
I won't bother with the basic knowledge of related stacks. I have introduced a lot on the Internet.
The key issue lies in how to determine the source code.
Ret = buffer + 28;
(* Ret) + = 10;
28 and 10 in

Compile (there will be warning, don't worry about it .)
$ Gcc-g-o a. c // Add-g for debugging in gdb

$ Gdb
(Gdb) disas main // get the disassembly Code as follows:
Dump of worker er code for function main:
Zero x 08048366 : Push % ebp
Zero x 08048367 : Mov % esp, % ebp
Zero x 08048369 : Sub $0x8, % esp
0x0804836c : And $0xfffffff0, % esp
0x0804836f : Mov $0x0, % eax
Zero x 08048374 : Sub % eax, % esp
Zero x 08048376 : Movl $0x0, 0 xfffffffc (% ebp)
0x0804837d : Call 0x8048348
Zero x 08048382 : Movl $0x1, 0 xfffffffc (% ebp)
Zero x 08048389 : Sub $0x8, % esp
0x0804838c : Pushl 0 xfffffffc (% ebp)
0x0804838f : Push $0x8048474
Zero x 08048394 : Call 0x8048288
Zero x 08048399 : Add $0x10, % esp
0x0804839c : Leave
0x0804839d : Ret
End of worker er dump.

(Gdb) disas function
Dump of worker er code for function:
Zero x 08048348 : Push % ebp
Zero x 08048349 : Mov % esp, % ebp
0x0804834b : Sub $0x28, % esp
0x0804834e : Lea 0xffffffe8 (% ebp), % eax
Zero x 08048351 : Add $ 0x1c, % eax
Zero x 08048354 : Mov % eax, 0xffffffe4 (% ebp)
Zero x 08048357 : Mov 0xffffffe4 (% ebp), % edx
0x0804835a : Mov 0xffffffe4 (% ebp), % eax
0x0804835d : Mov (% eax), % eax
0x0804835f : Add $ 0xa, % eax
Zero x 08048362 : Mov % eax, (% edx)
Zero x 08048364 : Leave
Zero x 08048365 : Ret
End of worker er dump.

We can know that when 0x0804837d is executed in main : Call 0x8048348 <function> stores the address of the next instruction in the stack. that is, 0x08048382. Our purpose is to modify this value to the address 0x08048389 of the next instruction, so that the statement x = 1 is blocked. the key issue is how to find the address for saving the 0x08048382 value ....

Continue to use gdb
(Gdb) l // display the source code (because the-g parameter is used during compilation)
5
6 ret = buffer + 28;
7 (* ret) + = 10;
8}
9
10 void main ()
11 {
12 int x;
13
14 x = 0;

(Gdb) B 6 // observe the memory value at the critical point
Breakpoint 1 at 0x804834e: file a. c, line 6.
(Gdb) B 7
Breakpoint 2 at 0x8048357: file a. c, line 7.
(Gdb) r
Breakpoint 1, function () at rr. c: 6
6 ret = buffer + 28;
(Gdb) I reg // observe the register value (note ebp esp eip)
Eax & nb