Could you explain this bit of code?

4
votes

So I've been reading about buffer overflows and Aleph One's article on stack smashing. I think I understand everything, except for this little bit in his exploit code:

ptr = buff;   
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
   *(addr_ptr++) = addr;

buff and ptr are char arrays. addr holds a stack pointer that points to a place in memory at the start of the stack. bsize is the size of buff. What is it doing? Why is he saying i+=4? What is he setting addr_ptr equal to, and why? When I try to print it out I just get NULL.

Here's the link to the article: http://insecure.org/stf/smashstack.html

Thanks.

1
cbuffer-overflow
He shouldn't be using a magic number like that. Does telling you it should be i += sizeof(*addr_ptr) (i.e. i += sizeof(long)) give you a hint? - GManNickG
Thanks, that does help. So 4 could vary based on the system, and he's basically moving addr_ptr to the end of the array while ensuring there's enough space for it? - user1710304
It could very by system in theory, it's almost certainly either 4 or 8 on any system we'll use, which is why he hardcoded 4. (I think one should avoid doing that when the alternative is so simple, like it is here.) - GManNickG

1 Answers

3
votes

He is moving by 4 bytes each time to progress one word (8 bits * 4 bytes = 32 bit word). Note that he comments about his guess and test method in the paragraph following your code example.

He is shooting in the dark, attempting to overflow the buffer. addr_ptr is being set to the address of ptr, then is being pushed along the buffer within the for loop.