css

Why doesn't Buffer Overflow work in C?

I'm trying to play Buffer Overflow. To do this, I use this tutorial: phrack.org/issues/49/14.html
But I can’t even make the simplest example (in that guide it goes under the name example3.c). To begin with, I want to say that I do everything under a virtual machine (ubuntu 13.04) with the following parameters:

$ uname -a
Linux ubuntu-VirtualBox 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:19:42 UTC 2013 i686 i686 i686 GNU/Linux

Also, before doing anything, turned off ASLR:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

I compile with stack protection turned off:

gcc -fno-stack-protector -z execstack -o example3 example3.c

Here is the actual code for this example (example3.c):

void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
   int *ret;

   ret = buffer1 + 12;
   (*ret) += 8;
}

void main() {
  int x;

  x = 0;
  function(1,2,3);
  x = 1;
  printf("%d\n",x);
}

A function is called from main, in which the return address is overwritten, i.e. eventually we have to jump over the instruction x=1;and the screen should display "0". The logic of the example is simple: before buffer1 (higher on the stack) is the return address. Since buffer1[5] occupies 8 bytes (2 words of 4 bytes) and since SFP occupies 4 more bytes (before buffer1), we find this return address by adding 12 to the address of buffer1:
ret = buffer1 + 12;
Next, add 8 to the value of the resulting address ( instruction x=1) so that this instruction is not executed.
Everything would be fine, but "1" is still displayed on the screen (without Segmentation Fault). Then I decided to look at the asm code that the compiler generates:
gcc -S -o example3.s example3.c
It turned out the following:

In the function itself, 40 bytes are reserved instead of 20 as in the example:

pushl	%ebp
movl	%esp, %ebp
subl	$40, %esp

How I got 20 in the example is clear to me: (buffer1[5] = 8) + (buffer2[10] = 12) = 20. But how I got 40 is not entirely clear. Then I tried to leave just buffer1[5] in the function and saw that 24 bytes are reserved (I also don’t understand where this number comes from). Oh well, 24 + 4 = 28, i.e.
ret = buffer1 + 28;
But alas, that doesn't work either. In this regard, I have 2 questions: why do my values ​​differ from those from the example (or "why doesn't it work ?!") and how to make it possible to reproduce at least the simplest buffer overflow attack?