EC312 Homework 6
Name: _______Solutions___________________
Read: (1) Lecture 6 Notes
(2) Hacking, the Art of Exploitation, pages 69-75
1.
Analyze the following program and use the debugger ( gdb) to answer some of the questions.
#include<stdio.h>
int maximum(int x, int y, int z)
{
int max;
if(x > y)
{
max = x;
}
else
{
max = y;
}
if(z > max)
{
max = z;
}
return max;
}
int main()
{
int number1, number2, number3;
printf("Enter three numbers and I will tell you the largest: ");
scanf( "%d %d %d" , &number1 , &number2 , &number3 );
printf("The largest is %d \n", maximum(number1 , number2 , number3) );
}
a. Is x a parameter or an argument?
x is a parameter
b. Why does the function maximum have a type of int?
This is used to indicate that the function maximum will return a value of type int.
c. What will happen if there are 3 arguments and 4 parameters?
The compiler will throw an error when you attempt to compile with gcc
d. Is z stored in the stack frame for maximum or the stack frame for main?
z is stored on the stack frame for main, above the main variables.
e. If when debugging this program you put a break after the scanf command , and looked at some of the
important registers ( i r eip esp ebp) and then printed out 20 words from the stack pointer ( x/20x $esp),
you might find where in memory your input values are stored? Where are they relative to ebp?
The input values will be stored in the main stack frame, above ebp.
1
f. If when debugging this program you put a break at return max, and looked at the base pointer
(i r ebp) it has changed now that you are in the function, what address would be stored at this memory
location- what is it’s importance?
The address stored at this memory location will be the old value of ebp, i.e. the ebp
corresponding to the main stack frame, as depicted in the figure below. Recall that when the
function is called, the old value of ebp will be stored at the top of the main stack frame. The
stack frame for the function maximum will then be set up immediately above the main stack
frame, and ebp will be adjusted to indicate the base of the stack frame for the function maximum
(i.e. it will point to the next address immediately below the stack frame for the function
maximum). Therefore it will also be pointing to the very top of the stack frame for main, where
we have stored the old value of ebp.
g. If you then typed x/xw $ebp+4, at what pertinent information would you be looking?
Now you would be looking at the 4 bytes stored immediately beneath the location where we
stored the old value of ebp, which will be the saved return address for the instruction pointer.
(See figure below.)
2.
Enter and compile the following C program
void test_function( int a, int b, int c, int d, int e)
{
int flag;
char buffer[ 10 ];
flag = 1234
buffer[ 0 ]
buffer[ 1 ]
buffer[ 2 ]
;
= 'U' ;
= 'S' ;
= 'A' ;
}
int main( )
{
test_function( 5, 6, 7, 8 , 9 ) ;
}
(a)
Using a breakpoint, run your program using the debugger up to the call to test_function
(using break test_function). [Note that the command break test_function will actually
set a breakpoint at the first line of test_function rather than at the function call in main.] Sketch
a picture of the stack frame for main, showing where the base pointer and stack pointer are pointing to,
2
and show where the arguments to test function are stored in memory (i.e., where the values 5, 6, 7, 8 and
9 are stored in memory).
.
(b)
Run the program up to the point of reaching the closing brace of test_function. Sketch the
contents of the stack frame for test_function as well as the additional memory locations below the
base pointer. Show the location of the base pointer and stack pointer on your figure. Note on your
sketch:
• the location of flag
• the location of buffer
• the location of the return address
• the location of the prior value of the base pointer
See attached spreadsheet and following notes:
1) Your exact addresses may differ from the addresses shown on the solution sheet, but the relative layout
of your memory (i.e. the distances between data items) should be the same
2) In part (a), typing break test_function will set a breakpoint at the first line of the function
definition of test_function rather than the function call in main. This means that the values of the
function arguments which are stored in memory for the parameters of test_function (i.e. 5,6,7,8,9) will
already be loaded onto the stack, but the current values of ebp and esp will correspond to the
test_function stack frame, not the main stack frame. To find the values of ebp and esp
corresponding to the main stack frame, note that the current ebp points to the top of the main stack
frame, and the saved ebp address for main is stored at the current ebp.
a. Note: There are other ways to approach this problem. One could set a breakpoint in main and use
i r ebp esp to determine the location of the main stack frame, and then set a breakpoint in the
test_function and use the examine command to find the where 5,6,7,8,9 are stored in memory
3
Homework 6, Problem 2
(a) Main Stack Frame
esp-main points here
ebp-main points here
0xbffff800
0xbffff801
0xbffff802
0xbffff803
0xbffff804
0xbffff805
0xbffff806
0xbffff807
0xbffff808
0xbffff809
0xbffff80a
0xbffff80b
0xbffff80c
0xbffff80d
0xbffff80e
0xbffff80f
0xbffff810
0xbffff811
0xbffff812
0xbffff813
0xbffff814
0xbffff815
0xbffff816
0xbffff817
0xbffff818
05
00
00
00
06
00
00
00
07
00
00
00
08
00
00
00
09
00
00
00
b0
83
04
08
a
b
c
d
e
(b) Test_function Stack Frame
0xbfff7ce
0xbffff7cf
esp-test_function points here 0xbffff7d0
0xbffff7d1
0xbffff7d2
0xbffff7d3
0xbffff7d4
0xbffff7d5
0xbffff7d6
0xbffff7d7
0xbffff7d8
0xbffff7d9
0xbffff7da
0xbffff7db
0xbffff7dc
0xbffff7dd
0xbffff7de
0xbffff7df
0xbffff7e0
0xbffff7e1
0xbffff7e2
0xbffff7e3
0xbffff7e4
0xbffff7e5
0xbffff7e6
0xbffff7e7
0xbffff7e8
0xbffff7e9
0xbffff7ea
0xbffff7eb
0xbffff7ec
0xbffff7ed
0xbffff7ee
0xbffff7ef
0xbffff7f0
0xbffff7f1
0xbffff7f2
0xbffff7f3
0xbffff7f4
0xbffff7f5
0xbffff7f6
0xbffff7f7
ebp-test_function points here 0xbffff7f8
0xbffff7f9
0xbffff7fa
0xbffff7fb
0xbffff7fc
0xbffff7fd
0xbffff7fe
0xbffff7ff
0xbffff800
55 = "U"
53 = "S"
41 = "A"
00
58
95
04
08
e8
f7
ff
bf
49
82
04
08
29
e7
f9
b7
f4
5f
fd
b7
18
f8
ff
bf
d2
04
00
00
f4
5f
fd
b7
ac
f8
ff
bf
18
f8
ff
bf
9b
83
04
08
05
buffer
flag
(i.e. 0x000004d2)
prior value of ebp
(i.e. 0xbffff818)
Return address
( i.e. 0x0804839b)