Vulnerability Development mailing list archives

Re: Buffer Overflows

From: Angelo Dell'Aera <buffer () antifork org>
Date: Mon, 5 Apr 2004 17:18:56 +0200

On 29 Mar 2004 20:00:56 -0000
<luck___ () hotmail com> wrote:

Hi hope  someone could help me with  a question I have.  Why do many
buffer overflow exploits  use the %esp before the  program has run as
the return address?  If im not wrong then the idea  is to return into
the buffer but the %esp before the program is run becomes %ebp during
program execution and this is after the buffer in the stack? Would it
not be better  to return to (%esp before) -  (length of buffer) which
should place  you at the start  of the buffer assuming  buffer is the
first local variable to be  declared (stack grows to lower addresses)
This is really  confusing me after I thought I had  got my head round
it.


I think  this is one  of the things  which can lead to  confusion. For
understanding it, you need some details about OSs.

Think about  this. When you  run your exploit, you're  evaluating %esp
value  in  the  exploit.  But  soon  after  this  you're  running  the
vulnerable program using that value as it was the real return address.
 
The question is : how is  that %esp value related to the stack pointer
in  the code  you're trying  to exploit?  The answer  is  that they're
related in no way! But the reason why you do it this way exists.

Think about a generic OS which implements virtual memory (anyone do it
nowadays). Just to be more  concrete, consider Linux. Linux, just like
any other operating  system, defines a precise layout  for the virtual
process address space. In particular,  Linux defines for the user mode
stack a  virtual memory area (VMA) flagged  VMA_GROWSDOWN which starts
at  virtual  address 0xbfffffff  and  grows  towards lower  addresses.
Every program  you run has this  virtual address space  layout. Try to
take a look at /proc/X/maps (choose X as you like between the existing
PIDs) for realizing it.

Well,  when you  get your  %esp value  in the  exploit,  you're simply
saying "I know where I could be since the %esp value is always located
near this  value". But you don't  really know how far  you're from the
address  you need.   The 'offset'  used  in almost  all exploits  just
addresses this  need. So  what you  get in your  exploit is  simply an
estimation. The  offset will "tune"  your return address  thus letting
you exploit the vulnerable code.

Regards.


--

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org

PGP information in e-mail header

Attachment: _bin
Description:

Current thread:

Re: Buffer Overflows Gerardo Richarte (Apr 01)
- <Possible follow-ups>
- Re: Buffer Overflows Yves Younan (Apr 01)
- Re: Buffer Overflows Angelo Dell'Aera (Apr 05)