Vulnerability Development mailing list archives
Re: Some help With BOF Exploits Writing.
From: xenophi1e <oliver.lavery () sympatico ca>
Date: 8 Aug 2003 15:54:50 -0000
In-Reply-To: <200308071347.h77DlYAa018973 () mailserver3 hushmail com>
So you are saying that the return address will be the same on my local machine as it is on a remote machine (for a particular application on the same archatecture). I have found that most time it is true. Which got me wondering how in the world do two differnet instances of the same OS/arch come up with the same addresses?? Is it luck ? Any knowledge here would be helpful?
It's not luck at all, it's very intentional. Modern OSs use virtual memory, which gives each executing process it's own distinct memory map. For various reasons, it's really handy to have stuff, particularly code pages, always be at the same address, so that is how the OS is designed. One good reason is dynamic linking. When the OS loads an application, it actually links together an .exe and a bunch of .dlls in memory. If the dll functions always reside at the same memory addresses this linking is easy. If the dll functions change addresses it is more complex and time consuming. So on a given OS, for a given DLL, addresses don't change much.
If you don't mind: When you say "find the return address"; is that the value in the esp/SP at the time when the actural vulnerable function is called ?
ESP is the stack pointer. I didn't read the original message but I guess he was refering to the value of the return address stored on the stack. Read http://www.phrack.org/show.php?p=49&a=14 . ~x
Current thread:
- Re: Some help With BOF Exploits Writing. olafandjasper (Aug 07)
- Re: Some help With BOF Exploits Writing. Rafael Anschau (Aug 07)
- <Possible follow-ups>
- Re: Some help With BOF Exploits Writing. xenophi1e (Aug 08)