I need help to exploit a buffer overflow on a jmp_buf structure.
I have the following values on the stack (seen by gdb):
0xbffffc40: 0xb7fd8ff4 0x080485a0 0x080483f0 0xbffffcf8
0xbffffc50: 0xebf06081 0x1d0a15ee
The second one is the next IP (after the setjmp) but if i modify it i do not change the behavior of my program.
I noticed that I can change the flow (and obtain a Segmentation) only if i modify the value of the last one.
But, I can not understand the meaning of the last word and how to change it to obtain the desired behavior.
I am trying to do the same at the moment - i do not know what os you are using, but i found the following docu (@ http://freebsd.active-venture.com/FreeBSD-srctree/newsrc/dev/vinum/vinummemory.c.html) for freebsd which simpy discribes the jmpbuf struct:
struct JmpBuf {
int jb_ebx; //in your case --> 0xb7fd8ff4
int jb_esp; //in your case --> 0x080485a0
int jb_ebp; //in your case --> 0x080483f0
int jb_esi; //in your case --> 0xbffffcf8
int jb_edi; //in your case --> 0xebf06081
int jb_eip; //in your case --> 0x1d0a15ee
};
Therefore 0x080485a0 would be the stored ESP and not EIP which would explain the segfault in your case...