Cannot access $eip no matter the size of the buffer - gdb

Question

I have the following C file, vuln.c, and I am trying to carry on a buffer overflow attack. My aim is set the $eip to the address of the function read_secret.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void read_secret() {
    FILE *fptr = fopen("/task2/secret.txt", "r");
    char secret[1024];
    fscanf(fptr, "%512s", secret);
    printf("Well done!\nThere you go, a wee reward: %s\n", secret);
    exit(0);
}

int fib(int n)
{
   if ( n == 0 )
      return 0;
   else if ( n == 1 )
      return 1;
   else
      return ( fib(n-1) + fib(n-2) );
} 

void vuln(char *name)
{
    int n = 20;
    char buf[1024];
    int f[n];
    int i;
    for (i=0; i<n; i++) {
      f[i] = fib(i);
    }
    strcpy(buf, name);
    printf("Welcome %s!\n", buf);
    for (i=0; i<20; i++) {
      printf("By the way, the %dth Fibonacci number might be %d\n", i, f[i]);
    } 
}


int main(int argc, char *argv[])
{
    if (argc < 2) {
        printf("Provide your name\n");
        return 0;
    }

    vuln(argv[1]);
    return 0;
}

So far, using gdb, I can get a segmentation fault when I push the size of the input to 1026. That is, run $(python -c "print('A'*1026)") .

However, no matter how much I increase the 1026, the $eip is always 0x8049323 . I have looked long and hard online for any similar problem, but I have failed to find any.

I am aware there's a similar question with similar code, but the answer doesn't address my problem.

EDIT: For reference, yes, the x41's do reach in, they just never make it all the way to $eip.

Also, these are the info reg's before and after the input is strcpy-ed in.

Before :

After

And the address of the buf variable is 0xffffd230 before and after. And the address of read_secret() is 0x80491c2.

Answer 1

The problem was that inside the program there comes a point where the program attempts to print f[i]'s. These are overwritten by the buffer to illegal addresses (ie 0x41414141).

What I instead did is that I picked an address from 'info reg' (the $ebp) worked for me, and inserted that address multiple times until I hit the $eip. Essentially, you want to pick a LEGAL address here.

Then, I'd reduce the number of times the address I picked is repeated and put a 'AAAA' instead to see where the $eip is. Once I find the $eip, I put the address of the function I want to execute there instead.