I have the following source code (in a file named vuln.cpp) in C:
#include <stdio.h>#include <string.h>int main(int argc, char ** argv){ char real[20]; char pass[20] = "dddddddddddddddd"; if(argc < 2) { printf("Usage:\t%s\tpassword\n", argv[0]); return -1; } memcpy(real, argv[1], strlen(argv[1]) + 1); if(strncmp(real, pass, 20) == 0) { printf("SUCCESS!\n"); } else { printf("FAILURE!\n"); } printf("real:\t%s\npass:\t%s", real, pass); return 0;}I compiled the source code using gcc -g -O0 vuln.cpp. Note that my machine as well as OS (Ubuntu 18.04) has x86_64 architecture
I ran gdb a.out, then b 16, then run $(python -c 'print("a"*10)')
Now with the code running at line 16, just after the memcpy, I do info frame. This outputs
(gdb) info frameStack level 0, frame at 0x7fffffffd9d0: rip = 0x555555554887 in main (vuln.cpp:17); saved rip = 0x7ffff7a05b97 source language c++. Arglist at 0x7fffffffd9c0, args: argc=2, argv=0x7fffffffdaa8 Locals at 0x7fffffffd9c0, Previous frame's sp is 0x7fffffffd9d0 Saved registers: rbp at 0x7fffffffd9c0, rip at 0x7fffffffd9c8Now I did p &real
$3 = (char (*)[20]) 0x7fffffffd980How can the address of the local variable real[0] be before the address of locals listed in the info frame?