Understanding stack in linux

Question

I have a small (and vulnerable) C sample:

#include <unistd.h>

int main(int argc, char *argv[])
{
    char buff[100];

    if(argc < 2)
    {
        printf("Syntax: %s <input string>\n", argv[0]);
        exit (0);
    }

    strcpy(buff, argv[1]);
    return 0;
}

I compiled it with:

gcc -o basic_overflow basic_overflow.c -fno-stack-protector -fno-builtin

When I open this program with gdb, disassembly looks like this:

Dump of assembler code for function main:
   0x08048424 <+0>: push   ebp
   0x08048425 <+1>: mov    ebp,esp
   0x08048427 <+3>: and    esp,0xfffffff0
   0x0804842a <+6>: add    esp,0xffffff80
...

Setting a breakpoint in main (after the prologue). Since we have a local buffer I would expect my stackframe to be 100 bytes in size. However when I do $ebp-$esp, I can see that the result is actually 136.

Plattform: Linux user-VirtualBox 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:50 UTC 2011 i686 i686 i386 GNU/Linux

Compiler: gcc (Ubuntu/Linaro 4.5.2-8ubuntu4) 4.5.2 Debugger: GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2 What did I get wrong?

Answer 1

这不仅仅是局部变量的大小 - 一般来说，填充到平台ABI指定的大小，破坏寄存器， alloca()区域...... - 检查这个好看的图片

Answer 2

The buffer address is so hard to get. I also have this question. There is a good article teaching you how to smash the stack. But in my computer,ubuntu 12.04 ,gcc 4.6 or 4.4.7,I have test the latest eggshell.c,and the result is core dump. He puts the shellcode in environment vars.But It's had to find the environment vars address.I also find smash the stack sometimes doesn't have effect.Any one can help make it run??