What exactly are you doing to change the return address? How are you actually changing the stack? The function doesn't return to the address in your ret variable, it returns to the return value that's placed on the stack.

Also, did you keep in mind that the function arguments are also placed on the stack? The return address is placed between the saved frame pointer (or local variables) and function arguments.

Hope this helps.

ZF

Excuse me for my ignorance. I didn't read the first post properly. You were actually changing the return address by pointing to it's location and then incrementing it, doh! That should work.

The problem lies in this piece of code;

ret = (int *)buffer1 + 16;

You need to take the the sum of buffer1 and 16 together en then cast it to an int pointer. So it goes like this;

ret = (int *)(buffer1 + 16);

This should do the trick assuming the rest of your math is correct.

ZF

You have to keep in mind that the bytes are aligned on the stack with 4 byte values.

So let's say we have a 22 byte local buffer filled with a's. The bottom part of your stack looks like these.

----------------------------------------------------------------------

0       a a a a
4       a a a a
8       a a a a
12      a a a a
16      a a a a
20      a a 0 0  <- The compiler puts some padding to keep things properly aligned.
24      %%%% <- sfp
28       %%%% <- eip/ret

----------------------------------------------------------------------

When you you picture it like this, the math should be easy enough

ZF

Correct, you need to move it 16 bytes to get to eip. Now there's something wrong with the value you're adding. You made an error in your calculation. You're almost there!

ZF

The 7 is unfortunately incorrect. It's not enough for the whole jump. Check your math again.

ZF

I've been messing around with this for a while, and I'm guessing it also has something to do with alignment. I'm not 100% sure of this, and I will look into it. 7 seems correct, but maybe the layout of your stack is different. I compiled it with Visual C++ and I need to add 10 for it to work. I feel stupid for providing you with the wrong information. I assumed the memory layout would be the same.

Edit: Apparently it is about the compiler and alignment. I also found this article which explains it.

http://www.ethicalhacker.net/content/view/122/2/

Hope this solves your problem!

ZF

I found the solution, when I decided to debug the whole thing on Ubuntu. If you inspect the stack layout, you will see the compiler put some extra space. The article describes this as "slack".

Run GDB, set a breakpoint at buffer1. And Inspect the stack memory for buffer1 with the command "x/8 buffer1", you will actually see the return address and some slack space. I disassembled main to be sure that it's the right address.

I'll show you some of the output to clear things up.

-----------------------------------------------------------------
(gdb) list function
1 void function(int a, int b, int c) {
2 char buffer1[5];
3 char buffer2[10];
4 int *ret;
5
6 ret = (int*)(buffer1 + 12);
7 (*ret) += 7;
8 }
9
10 void main() {
(gdb) break 2
Breakpoint 1 at 0x804837a: file ret.c, line 2.
(gdb) run
Starting program: /home/zeroflaw/Desktop/ret

Breakpoint 1, function (a=1, b=2, c=3) at ret.c:6
6 ret = (int*)(buffer1 + 12);
(gdb) x/8 buffer1
0xbffff7e0: 0xb7f9f729 0xb7fd6ff4 0xbffff818 0x08048419
0xbffff7f0: 0xb7fd6ff4 0xbffff8ac 0xbffff818 0x080483c5
(gdb) disas main
Dump of assembler code for function main:
0x08048392 <main+0>: push %ebp
0x08048393 <main+1>: mov %esp,%ebp
0x08048395 <main+3>: sub $0x18,%esp
0x08048398 <main+6>: and $0xfffffff0,%esp
0x0804839b <main+9>: mov $0x0,%eax
0x080483a0 <main+14>: sub %eax,%esp
0x080483a2 <main+16>: movl $0x0,0xfffffffc(%ebp)
0x080483a9 <main+23>: movl $0x3,0x8(%esp)
0x080483b1 <main+31>: movl $0x2,0x4(%esp)
0x080483b9 <main+39>: movl $0x1,(%esp)
0x080483c0 <main+46>: call 0x8048374 <function>
0x080483c5 <main+51>: movl $0x1,0xfffffffc(%ebp) <-- Skipping this instruction.
0x080483cc <main+58>: mov 0xfffffffc(%ebp),%eax
0x080483cf <main+61>: mov %eax,0x4(%esp)
0x080483d3 <main+65>: movl $0x80484c4,(%esp)
0x080483da <main+72>: call 0x80482a0 <printf@plt>
0x080483df <main+77>: leave
0x080483e0 <main+78>: ret
End of assembler dump.

-----------------------------------------------------------------

You can see buffer1 starts at address 0xbffff7e0 and the return address is at 0xbffff7fc. 0xbffff7fc - bffff7e0 = 28. The correct value in this case is 28!

I guess it's important to keep in mind what the compiler does. Also not every stack uses a saved frame pointer! So it's important to always dive into the assembly instructions and inspect memory carefully.

I also learned a lot from this, so thanks for posting your question

ZF