to be exact 0x41 is 'A' :)
This is just something that is common use to see if the overflow
causes an overwrite of EIP which means we can direct the flow in our
way.
// Dunceor
On Thu, 10 Mar 2005 13:26:20 +0000, Steve Kemp <steve_at_shellcode.org> wrote:
> On Thu, Mar 10, 2005 at 01:28:17PM +0100, Uwe Hermann wrote:
>
> > > You can check if it's a stack-based buffer overflow by doing this in
> > > gdb and seeing if the value of EIP is 0x41414141.
> > >
> > > $ export HOME=`blah`
> > > $ gdb program
> > > (gdb) r
> > > [crashes horribly]
> > > (gdb) bt
> > > (gdb) i r
> > > (gdb) q
> > >
> > > You might have to try lots of different sizes than 1000 to reach a state
> > > where you control all of EIP.
> >
> > Please elaborate. Why exactly 0x41414141 and how or why do I control
> > all of EIP? Do you know any good introductory papers/URLs about this?
>
> This is often used as an example, what Ulf is saying is that if you
> set HOME=aaaaaaaaaa .. aaaaa then you're looking to see that the
> register EIP has been overwritten with the value 0x41. Where 0x41
> is the hex code for the ASCII value 'a'.
>
> Any introduction to buffer overflows such as 'Smashing the Stack
> for Fun And Profit' covers this.
>
> Specifically for environmental overflows this might prove useful:
>
> http://shellcode.org/Exploit/generic.html
>
> Steve
> --
> # The Debian Security Audit Project.
> http://www.debian.org/security/audit
>
>
> _______________________________________________
> Debian-audit mailing list
> Debian-audit_at_shellcode.org
> http://shellcode.org/mailman/listinfo/debian-audit
>
----------------------------------------------------------
dunceor_at_gmail.com || kasj2307_at_student.uu.se
puffy.nu/~dunceor/
Received on Thu Mar 10 2005 - 14:05:46 GMT