Put simply:
- top of stack
($esp) = 0xbffff49c. - gdb executes
retinstruction, which responds withCannot access memory at address 0x90909094.
What reason would gdb be trying to access 0x90909094 when the value at the top of the stack is 0xbffff49c?
Random info (in case it's needed):
[----------------------------------registers-----------------------------------]
EAX: 0x5a ('Z')
EBX: 0xb7fbeff4 --> 0x15ed7c
ECX: 0xbffff428 --> 0xb7fbf4e0 --> 0xfbad2a84
EDX: 0xb7fc0360 --> 0x0
ESI: 0x0
EDI: 0x0
EBP: 0x90909090
ESP: 0xbffff49c --> 0xbffff450 --> 0xdb31c031
EIP: 0x80485dd (<greeting+113>: ret)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x80485d0 <greeting+100>: mov DWORD PTR [esp],0x80487f4
0x80485d7 <greeting+107>: call 0x80483f0 <printf@plt>
0x80485dc <greeting+112>: leave
=> 0x80485dd <greeting+113>: ret
0x80485de <checkPassword>: push ebp
0x80485df <checkPassword+1>: mov ebp,esp
0x80485e1 <checkPassword+3>: push ebx
0x80485e2 <checkPassword+4>: sub esp,0x64
[------------------------------------stack-------------------------------------]
0000| 0xbffff49c --> 0xbffff450 --> 0xdb31c031
0004| 0xbffff4a0 --> 0x0
0008| 0xbffff4a4 --> 0xbffff564 --> 0xbffff6b2 ("/root/Desktop/CSCE_526/task1")
0012| 0xbffff4a8 --> 0x804876b (<__libc_csu_init+11>: add ebx,0x1351)
0016| 0xbffff4ac --> 0xb7fbeff4 --> 0x15ed7c
0020| 0xbffff4b0 --> 0x8048760 (<__libc_csu_init>: push ebp)
0024| 0xbffff4b4 --> 0x0
0028| 0xbffff4b8 --> 0xbffff538 --> 0x0
[------------------------------------------------------------------------------]
gdb-peda$ n
Cannot access memory at address 0x90909094
I'm overflowing a buffer and trying to get it to execute some shellcode, but I'm not sure if those details are relevant considering the simplicity of the question: why is ret trying to access data not on the top of the stack?