And what are you trying to do with your buffer overflow exactly?

If you're trying to use an overflow to change the things before EBP and change the behaviour of "return" to turn it into a call, where ebp+4 would be the return address, then you should not forget that in the middle (at address EBP) there is the old EBP address, which you should not replace by anything.

Also you might be overflowing in the wrong direction (I think this is machine-dependent), something which can be checked by looking at the assembler code instead of guessing.

What's with fgets() into a line so that you can then use sscanf() to parse it? Using fscanf(fp, "%lx", line+n) will get that done in one step.



I can't see what you've got on the stack frame, but the only way that a stack overrun is going to cause code to execute is by overwriting a return address on the stack. That needs to point to machine code in memory, any intervening words (between the array on the stack and return address) needs to have reasonable values. A segfault can come from the register restore sequence loading a bad value into the stack or base pointer registers, and not just from using an invalid data pointer loaded from the stack frame.



PS, in addition to comments:



** If the code sorts the data then all of your careful planning goes down the old flusher. **



PPS: Also, about debugging: You can use the debugger to do your proof-of-concept overrun.



Comment out the sort, feed it a file that doesn't overflow, set a gdb breakpoint to stop after the data has been read. Then use gdb to patch in the changes to the stack you think should work, then step through the function return in assembly mode, one machine instruction at at time, to see if it works or what goes wrong when it doesn't.



The same set of patched values almost certainly won't work in the "release" build, since both code generation and linker libraries are different.

Here are the files:

This is the original Data.Txt file.

DEADBEEF

1

ABCDEF

1234567

0123

BEEFDEAD

DEEDBADD

A0

F

800813S



This is sort.c file code

#include

#include

#include

#include

/*

* a toy program for learning stack buffer

* overflow exploiting

* It reads a list of hex data from the

* specified file, and performs bubble sorting

*/

#define SORT_ME 1 //Comment this out and recompile if you do not want the function to sort your values.

long n = 0, c = 0, d = 0, v = 0;

FILE *fp = NULL;

void SortData()

{

long swap = 0;

long array[17];

// loading data to array

printf("Source list:\n");

char line[sizeof(long) * 2 + 1] = {0};

while(fgets(line, sizeof(line), fp)) {

    if (strlen((char *)line) > 1) {

      sscanf(line, "%lx", &(array[n]));

      printf("0x%lx\n", array[n]);

      ++n;

    }

}

fclose(fp);

#ifdef SORT_ME  

for (c = 0; c < (n - 1); c++)

{

    v = c;

    for (d = ( c + 1 ); d < n; d++)

    {

      if (array[d] < array[v])

      {

        // Swap the found minimum element with the first element

        swap       = array[d];

        array[d]   = array[v];

        array[v]   = swap;

      }

    }

}

#endif

// output sorting result

printf("\nSorted list in ascending order:\n");

for ( c = 0 ; c < n ; c++ )

     printf("%lx\n", array[c]);

}

int main(int argc, char **argv)

{

    if(argc!=2)

    {

        printf("Usage: ./sort file_name\n");

        return -1;

    }

    // From http://stackoverflow.com/questions/5141960/get-the-current-time-in-c

    time_t rawtime;

    struct tm * timeinfo;

    time(&rawtime);

    timeinfo = localtime(&rawtime);

    printf("Current local time and date: %s\n\n", asctime(timeinfo));

    fp = fopen(argv[1], "rb");

    SortData();

    return 0;

}