I wrote that exact code into an overflow.c
file, and got the following main()
. I disassembled with objdump --disassemble overflow
0804846d <main>:
804846d: 55 push %ebp
804846e: 89 e5 mov %esp,%ebp
8048470: 83 e4 f0 and $0xfffffff0,%esp
8048473: 81 ec a0 00 00 00 sub $0xa0,%esp
8048479: 8b 45 0c mov 0xc(%ebp),%eax
804847c: 89 44 24 0c mov %eax,0xc(%esp)
8048480: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048486: 89 84 24 9c 00 00 00 mov %eax,0x9c(%esp)
804848d: 31 c0 xor %eax,%eax
804848f: 8b 44 24 0c mov 0xc(%esp),%eax
8048493: 83 c0 04 add $0x4,%eax
8048496: 8b 00 mov (%eax),%eax
8048498: 89 44 24 04 mov %eax,0x4(%esp)
804849c: 8d 44 24 1c lea 0x1c(%esp),%eax
80484a0: 89 04 24 mov %eax,(%esp)
80484a3: e8 98 fe ff ff call 8048340 <strcpy@plt>
80484a8: b8 00 00 00 00 mov $0x0,%eax
80484ad: 8b 94 24 9c 00 00 00 mov 0x9c(%esp),%edx
80484b4: 65 33 15 14 00 00 00 xor %gs:0x14,%edx
80484bb: 74 05 je 80484c2 <main+0x55>
80484bd: e8 6e fe ff ff call 8048330 <__stack_chk_fail@plt>
80484c2: c9 leave
80484c3: c3 ret
Unfortunately I don't think there is a way for you to know how much the stack is going to be aligned at that point. You do know that it won't be more than 16 bytes. A dirty solution would be to write the 0x84 bytes to reach the alignment section. Then write the 4 byte value you want to overwrite EBP and/or the return address with 6 times. This would also smash the stack completely if the alignment was less than 16 bytes. But if you gain execution you could fix it up to a working state in your shellcode.
To go a bit further lets perform this same operation in a different function. Which would be a lot more likely of a scenario than a main()
. So now we have the following:
1 #include <stdio.h>
2 #include <string.h>
3
4 int function(char **argv) {
5 char buf[128];
6
7 strcpy(buf, argv[1]);
8
9 return 0;
10 }
11
12 int main(int argc, char **argv) {
13 return function(argv);
14 }
Which disassembles to:
0804846d <function>:
804846d: 55 push %ebp
804846e: 89 e5 mov %esp,%ebp
8048470: 81 ec a8 00 00 00 sub $0xa8,%esp
8048476: 8b 45 08 mov 0x8(%ebp),%eax
8048479: 89 85 64 ff ff ff mov %eax,-0x9c(%ebp)
804847f: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048485: 89 45 f4 mov %eax,-0xc(%ebp)
8048488: 31 c0 xor %eax,%eax
804848a: 8b 85 64 ff ff ff mov -0x9c(%ebp),%eax
8048490: 83 c0 04 add $0x4,%eax
8048493: 8b 00 mov (%eax),%eax
8048495: 89 44 24 04 mov %eax,0x4(%esp)
8048499: 8d 85 74 ff ff ff lea -0x8c(%ebp),%eax
804849f: 89 04 24 mov %eax,(%esp)
80484a2: e8 99 fe ff ff call 8048340 <strcpy@plt>
80484a7: b8 00 00 00 00 mov $0x0,%eax
80484ac: 8b 55 f4 mov -0xc(%ebp),%edx
80484af: 65 33 15 14 00 00 00 xor %gs:0x14,%edx
80484b6: 74 05 je 80484bd <function+0x50>
80484b8: e8 73 fe ff ff call 8048330 <__stack_chk_fail@plt>
80484bd: c9 leave
80484be: c3 ret
Since it's not a main function you don't have that pesky and esp, 0xfffffff0
operation in there. You can perform your subtraction just like you normally would have expected.
I hope this answers your question.