Vulnerability Development mailing list archives
Re: Buffer Overflows
From: ". npguy" <npguy () linuxmail org>
Date: Tue, 30 Mar 2004 13:55:49 +0800
Hi, ESP points the current address of the stack frame. The address is very importnat to exploit the return address. Take an example of overwriting the return address with JMP ESP instruction simply change the flow of the program by jumping to the current pointing address of ESP (Stack Pointer). In our case the ESP points within our buffer next to the Return address. So JMP ESP will point in the next index of our buffer i.e the overflowed buffer. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaxxxxSSSSSSSSSSSSSSSSSSSSSSSSS | ^ +--msvcrt.dll---+ | | | | | | | JMP ESP<------------------+ | | | | | | +--------------------------+ | | +---------------+ The figure is quite simple. SSS...is the shellcode and xxxx is the overwritten return address (EIP) of a buffer. It contains the address of "JMP ESP instruction" located somewhere in the process space (memory) in our case it is located in msvcrt.dll memory space at xxxx. When the buffer is fed to the program it will happily run without any error message since the return address is valid which contains "JMP ESP" equivalent instruction's) ...This instruction immediately jump at the current pointer of ESP in our case the next ESP after xxxx is "SSSS...". This is the shellcode where we had place the exploit code something interesting might be worm or simple funny stuff. npguy 01security.com ----- Original Message ----- From: <luck___ () hotmail com> Date: 29 Mar 2004 20:00:56 -0000 To: vuln-dev () securityfocus com Subject: Buffer Overflows
Hi hope someone could help me with a question I have. Why do many buffer overflow exploits use the %esp before the program has run as the return address? If im not wrong then the idea is to return into the buffer but the %esp before the program is run becomes %ebp during program execution and this is after the buffer in the stack? Would it not be better to return to (%esp before) - (length of buffer) which should place you at the start of the buffer assuming buffer is the first local variable to be declared (stack grows to lower addresses) This is really confusing me after I thought I had got my head round it. Many Thanks
-- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
Current thread:
- Buffer Overflows luck___ (Mar 29)
- <Possible follow-ups>
- Re: Buffer Overflows . npguy (Mar 30)
- Re: Buffer Overflows Gerardo Richarte (Mar 30)