I have this code gave me from my professor, he also wrote other versions of the same software going to uncomment parts of code in order to show us how a stack works but I don't really understand.
#include <stdio.h>
int main(int argc, char** argv);
void loop()
{
int buf[1];
printf("%08X %08X %08X\n", buf, loop, main);
printf("%08X %08X %08X %08X\n", buf[1], buf[2], buf[3], buf[4]);
printf("%08X %08X %08X %08X\n", buf[5], buf[6], buf[7], buf[8]);
printf("loop\n");
//buf[1] = loop;//canary alert
//buf[2] = loop;// messes up the exit of main
//buf[3] = 0XF0F0F0F0;
//buf[4] = &(buf[0]);
//buf[4] = loop;
//buf[5] = &(buf[0]);
//buf[5] = loop;
printf("%08X %08X %08X %08X\n", buf[1], buf[2], buf[3], buf[4]);
printf("%08X %08X %08X %08X\n", buf[5], buf[6], buf[7], buf[8]);
printf("loop returns\n");
}
int main(int argc, char **argv)
{
printf("Main\n");
loop();
printf("main terminates\n");
}
If I uncomment buf[1] the result is "stack smashing" because I go to modify the canary. If I uncomment buf[2] I get "segmentation foult" finished executing the whole program (so I first get printf("main terminates\n"); and then the segmentation foult). If I uncomment buf[3] I get segmentation foult before the end of main execution. I think by going to uncomment buf[4] and buf[5] I am going to change the return address. I am running this on Ubuntu 16.04 LTS 32-bit (The VM given by SEED https://seedsecuritylabs.org/). My question is: How can I know where the canary is located? Should I assume it is always in the first available position after the last variable declared and then written to the stack? How do I know, looking only at the code, where the return address can be found? I will preface this by saying that the prof has never debugged the program and so to my belief he deduced everything from the code.