Vulnerability Development mailing list archives

Re: Buffer Overflows

From: Yves Younan <yyounan () fort-knox org>
Date: Thu, 01 Apr 2004 19:16:05 +0200

On Mon, 2004-03-29 at 22:00, luck___ () hotmail com wrote:

Hi hope someone could help me with a question I have. 
Why do many buffer overflow exploits use the %esp 
before the program has run as the return address?


I've read the other replies, but I think they're answering a different
question. If I understand your question correctly, you're asking why the
overflows replace the return address with: 0xbfffffff - some value
instead of pointing it to where the buffer they are overflowing is
located, right ? If I am mistaken, you can ignore the rest of the mail
:)
You can place shellcode anywhere you like, just as long as you can write
to this address and have a way of knowing or guessing the address of
your code so you can jump to it or close to it (when using a nop sled).
I'm assuming the exploits you mention in your mail place their shellcode
in an environment variable instead of in the buffer they are
overflowing. This is more robust as the buffer could be at a different
place in every compiled version while the stack will (barring os 
modifications that randomize or change this) start at 0xbfffffff (Linux,
i386) and will contain 4 nuls, the program name, a null to terminate the
program name and the environment variables (last to first).
So to jump to the beginning of the first environment variable the
following formula can be used to find the address of the shellcode:
address = 0xbfffffff - 4 - length(programname) - 1 -
length(environment).
And the vulnerable program would be executed from the exploit as:
execve(programname, arguments, environment);
Note that this is only useful for local exploits, not remote ones.

For more information see page 38 of my thesis:
http://fort-knox.org/thesis.php
See page 66 for an example of an exploit that uses this technique.

Or see the original paper that describes this technique:
Buffer overflows demystified by Murat Balaban:
http://www.enderunix.org/docs/eng/bof-eng.txt

- YY
They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety.
                - Benjamin Franklin

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Buffer Overflows Gerardo Richarte (Apr 01)
- <Possible follow-ups>
- Re: Buffer Overflows Yves Younan (Apr 01)
- Re: Buffer Overflows Angelo Dell'Aera (Apr 05)