Using GDB to demonstrate buffer overflow vulnerability

Case 1: No corruption
gdb bufdemo
(gdb) break echo		# Entry into function
(gdb) break *0x80485e2	# Finish of function
(gdb) run

Breakpoint hit at 0x80485c9
(gdb) print /x $ebp
$1 = 0xffffd7b8			# Frame pointer
(gdb) print /x *(unsigned *) $ebp
$2 = 0xffffd7c8			# Saved frame pointer
(gdb) print /x *((unsigned *) $ebp +1)
$3 = 0x80485f0 		        # Saved return pointer
(gdb) print /x $ebx
$4 = 0x1			# Value in callee save register
(gdb) cont			# Continue to end of function
Type a string:1234567
1234567

Breakpoint 2, 0x080485e2 in echo ()
(gdb) print /x $ebx 	    	# Value set by this function
$5 = 0xffffd7b0
(gdb) stepi
0x080485e3 in echo ()
(gdb) print /x $ebx
$6 = 0x373635			# %ebx set to corrupted value
(gdb) print /x *(unsigned *) $ebp
$7 = 0xffffd7c8			# Not corrupted
(gdb) stepi			# Restore %ebp
0x080485e4 in echo ()
(gdb) print /x $ebp		
$8 = 0xffffd7c8			# Set to stored value
(gdb) print /x *(unsigned *) $ebp
$9 = 0xffffd7e8		        # Old frame pointer
(gdb) stepi			# Return back to calling function
(gdb) print /x *((unsigned *) $ebp)
$11 = 0xffffd7e8	        # Saved value of frame pointer
(gdb) print /x *((unsigned *) $ebp+1)
$13 = 0x804862d		        # This function's return pointer


Case 2: Corrupting stack
(gdb) run

Breakpoint hit at 0x80485c9
(gdb) print /x $ebp
$1 = 0xffffd7b8			# Frame pointer
(gdb) print /x *(unsigned *) $ebp
$2 = 0xffffd7c8			# Saved frame pointer
(gdb) print /x *((unsigned *) $ebp +1)
$3 = 0x80485f0 		        # Saved return pointer
(gdb) print /x $ebx
$4 = 0x1			# Value in callee save register
(gdb) cont			# Continue to end of function
Type a string:1234567
1234567

Breakpoint 2, 0x080485e2 in echo ()
(gdb) print /x $ebx 	    	# Value set by this function
$5 = 0xffffd7b0
(gdb) stepi
0x080485e3 in echo ()
(gdb) print /x $ebx
$6 = 0x37363534			# %ebx set to corrupted value
(gdb) print /x *(unsigned *) $ebp
$7 = 0xffffd700			# Corrupted!
(gdb) stepi			# Restore %ebp
0x080485e4 in echo ()
(gdb) print /x $ebp		
$8 = 0xffffd700			# Oops.
(gdb) print /x *(unsigned *) $ebp
$9 = 0xffffd72c		        # Looks like frame pointer from some earlier function
(gdb) stepi			# Return back to calling function
(gdb) print /x *((unsigned *) $ebp)
$11 = 0xffffd7e8	        # Saved value of frame pointer
(gdb) print /x *((unsigned *) $ebp+1)
(gdb) print /x *((unsigned *) $ebp+1)
$24 = 0xf7eea9d5		# Some random memory location
(gdb) stepi
(gdb) stepi
0xf7eea9d5 in new_do_write () from /lib/libc.so.6
(gdb) disass  		        # Landed in the middle of some code

Continuing from there hits segmentation fault

Case 3: Corrupting return pointer
(gdb) run

Breakpoint hit at 0x80485c9
(gdb) print /x *((unsigned *) $ebp +1)
$3 = 0x80485f0 		        # Saved return pointer

(gdb) cont			# Continue to end of function
Type a string:123456789ABC
1234567

Breakpoint 2, 0x080485e2 in echo ()
(gdb) print /x *((unsigned *) $ebp + 1)
$28 = 0x8048500  	        # Corrupted!

(gdb) stepi
0x080485e3 in echo ()
(gdb) stepi
0x080485e4 in echo ()
(gdb) print /x *(unsigned *) $esp
$29 = 0x8048500		        # Corrupted
(gdb) stepi