Vulnerability Development mailing list archives
RE: problem in off by one overflow
From: "Steven Alexander" <alexander.s () mccd edu>
Date: Mon, 7 Feb 2005 10:10:10 -0800
Off-by-one exploits do not work by pointing ebp at shellcode like a straightforward exploit does with eip. ebp points to the local stack frame. The ebp stored on the stack points to the previous local stack frame. You need to modify the saved ebp value to manipulate the stack frames in such a way that an eip of your choosing is later removed from the stack. In a function call, the arguments to the function are pushed on to the stack. A call instruction is executed that pushes the current eip on to the stack and jumps to the address of the function to continue executiong. At the beginning of each function, the current ebp is pushed on to the stack and the current esp is copied over ebp. Then, esp is decremented to make room for local variables. At the end of each function, ebp is copied over esp. The previous ebp is popped from the stack. The function returns by popping eip from the stack and resuming execution at that address (with a ret instruction). Say that you have a program where func1 calls func2. In func2, you modify the saved ebp value with an overflow. At the end of func2, the value of ebp (the current one, not the one you modified) is restored into esp. Your modified ebp is popped into ebp. Func2 returns (correctly) into func1. At the end of func1, the now current ebp (the one you did modify) is copied over esp. The previous ebp is popped off the stack (which means that esp, which holds your modified ebp, is increased by 4) and func1 returns. In order to construct an exploit, you need to 1) put your shellcode on the stack 2) store the address of (read: a pointer to) your shellcode on the stack (if it's not exact, you can NOP-pad your shellcode). 3) modify the saved ebp in func2 to point four bytes lower than the address of your shellcode Then, * The value you supply will be increased by four due to a 'pop ebp' instruction and will then point at the address of your shellcode * func1 will pop what it thinks is the saved eip off the stack (but is actually the address of your shellcode) * The program will resume execution at your shellcode. There are possible complications. If you modify the saved ebp in func2 and func1 uses ebp to reference local variables after func2 returns, the program may crash. You should read or re-read the Phrack article on the subject: http://www.phrack.org/phrack/55/P55-08 I hope this helps and that I haven't made any errors myself, Steven
Current thread:
- problem in off by one overflow Breno Pinto (Feb 07)
- Re: problem in off by one overflow Alex (Feb 07)
- <Possible follow-ups>
- RE: problem in off by one overflow Steven Alexander (Feb 07)