Re: Some help With BOF Exploits Writing.

[xenophi1e <oliver.lavery () sympatico ca>]

In-Reply-To: <200308071347.h77DlYAa018973 () mailserver3 hushmail com>

>  So you are saying that the return address will be the same on my local
> machine as it is on a remote machine (for a particular application on
> the same archatecture).  I have found that most time it is true.  Which
> got me wondering how in the world do two differnet instances of the same
> OS/arch come up with the same addresses??  Is it luck ? Any knowledge
> here would be helpful?

It's not luck at all, it's very intentional. Modern OSs use virtual 
memory, which gives each executing process it's own distinct memory map. 
For various reasons, it's really handy to have stuff, particularly code 
pages, always be at the same address, so that is how the OS is designed. 

One good reason is dynamic linking. When the OS loads an application, it 
actually links together an .exe and a bunch of .dlls in memory. If the 
dll functions always reside at the same memory addresses this linking is 
easy. If the dll functions change addresses it is more complex and time 
consuming. So on a given OS, for a given DLL, addresses don't change much.

>  If you don't mind:  When you say "find the return address"; is that
> the value in the esp/SP at the time when the actural vulnerable function
> is called ?

ESP is the stack pointer. I didn't read the original message but I guess 
he was refering to the value of the return address stored on the stack. 
Read http://www.phrack.org/show.php?p=49&a=14 .

~x