/* file: vulnerable.c
   ------------------
   author:  Ted Baker
   version: $Version$
   last modified by: $Author: cop4610 $ on: $Date: 2002/08/21 19:28:41 $
   purpose: illustrate buffer overflow vulnerability

   The use of strcpy() here, on a string whose length has not been
   checked first, makes this program vulnerable to buffer overflow.
   Such unchecked overflows can be exploited to force the process
   to execute a different program.  This is the kind of vulnerability
   in system software that is exploited frequently by hackers.

 */

#include <unistd.h> 
#include <stdlib.h>
#include <stdio.h> 
#include <string.h>
#include <ctype.h>
#include <signal.h>

char const * arg;

void sub () {
  char buf[10];
  int i;
  strcpy (buf, arg);
  for (i = 0; i <= (94 / sizeof (int)) + 1; i++)
    fprintf (stderr, "%10x\n", *(int *) (buf + i*sizeof (int)));
  fprintf (stderr, "%s\n", buf);
  fprintf (stderr, "%10x\n", (int *) &buf[28]);
}

/*

ebp = 0xbffffa28
sp  = 0xbffffa00

Activation record size = 0x28 = 44

Bytes               Occupied by
0xbffffa24 - 27     saved base pointer
0xbffffa20 - 23     (maybe padding?)
0xbffffa10 - 19     buf[0-9]
0xbffffa0c - 0f     i
0xbffffa00 - 0b     (maybe padding?)

At instruction 080484f6 ("sub $0x8,%esp) the activation record
size is 44 bytes, and buf[] is 16 bytes below the top of the stack.
The return address is just below the activation record, 44 bytes
below the top of the stack, and 28 bytes below the start of buf[].

(gdb) disassem
Dump of assembler code for function sub:                 stack effect
0x80484f0 <sub>:        push   %ebp                       +4 =  4  (old base pointer)
0x80484f1 <sub+1>:      mov    %esp,%ebp                
0x80484f3 <sub+3>:      sub    $0x28,%esp                +40 = 44
0x80484f6 <sub+6>:      sub    $0x8,%esp                  +8 = 52
0x80484f9 <sub+9>:      pushl  0x804978c                  +4 = 56
0x80484ff <sub+15>:     lea    0xffffffe8(%ebp),%eax
0x8048502 <sub+18>:     push   %eax                       +4 = 60
0x8048503 <sub+19>:     call   0x80483d8 <strcpy>
0x8048508 <sub+24>:     add    $0x10,%esp                -16 = 44
0x804850b <sub+27>:     sub    $0x4,%esp                  +4 = 48
0x804850e <sub+30>:     lea    0xffffffe8(%ebp),%eax
0x8048511 <sub+33>:     push   %eax                       +4 = 52
0x8048512 <sub+34>:     push   $0x8048620                 +4 = 56
0x8048517 <sub+39>:     pushl  0x8049770                  +4 = 60
0x804851d <sub+45>:     call   0x8048388 <fprintf>
0x8048522 <sub+50>:     add    $0x10,%esp                -16 = 44
0x8048525 <sub+53>:     sub    $0x4,%esp                  +4 = 48
0x8048528 <sub+56>:     movsbl 0x4(%ebp),%eax
0x804852c <sub+60>:     push   %eax                       +4 = 52
0x804852d <sub+61>:     push   $0x8048624                 +4 = 56
0x8048532 <sub+66>:     pushl  0x8049770                  +4 = 60
0x8048538 <sub+72>:     call   0x8048388 <fprintf>
0x804853d <sub+77>:     add    $0x10,%esp                 -1 = 44
0x8048540 <sub+80>:     leave                             
0x8048541 <sub+81>:     ret    
End of assembler dump.

*/

int main (int argc, const char *argv[]) {
  if (argc != 2) {
     fprintf (stderr, "this program expects a single command-line argument\n");
     exit (-1);
  }
  arg = argv[1];

  kill (getpid(), SIGSTOP);

  sub ();
  return 0;
}

/*

(gdb) disassem
Dump of assembler code for function main:
0x8048544 <main>:       push   %ebp
0x8048545 <main+1>:     mov    %esp,%ebp
0x8048547 <main+3>:     sub    $0x8,%esp
0x804854a <main+6>:     cmpl   $0x2,0x8(%ebp)
0x804854e <main+10>:    je     0x8048570 <main+44>
0x8048550 <main+12>:    sub    $0x8,%esp
0x8048553 <main+15>:    push   $0x8048640
0x8048558 <main+20>:    pushl  0x8049770
0x804855e <main+26>:    call   0x8048388 <fprintf>
0x8048563 <main+31>:    add    $0x10,%esp
0x8048566 <main+34>:    sub    $0xc,%esp
0x8048569 <main+37>:    push   $0xffffffff
0x804856b <main+39>:    call   0x80483c8 <exit>
0x8048570 <main+44>:    mov    0xc(%ebp),%eax
0x8048573 <main+47>:    add    $0x4,%eax
0x8048576 <main+50>:    mov    (%eax),%eax
0x8048578 <main+52>:    mov    %eax,0x804978c
0x804857d <main+57>:    call   0x80484f0 <sub>
0x8048582 <main+62>:    mov    $0x0,%eax
0x8048587 <main+67>:    leave  
0x8048588 <main+68>:    ret    
End of assembler dump.

*/