Vulnerability Development mailing list archives
Re: Buffer Overflows
From: Angelo Dell'Aera <buffer () antifork org>
Date: Mon, 5 Apr 2004 17:18:56 +0200
On 29 Mar 2004 20:00:56 -0000 <luck___ () hotmail com> wrote:
Hi hope someone could help me with a question I have. Why do many buffer overflow exploits use the %esp before the program has run as the return address? If im not wrong then the idea is to return into the buffer but the %esp before the program is run becomes %ebp during program execution and this is after the buffer in the stack? Would it not be better to return to (%esp before) - (length of buffer) which should place you at the start of the buffer assuming buffer is the first local variable to be declared (stack grows to lower addresses) This is really confusing me after I thought I had got my head round it.
I think this is one of the things which can lead to confusion. For understanding it, you need some details about OSs. Think about this. When you run your exploit, you're evaluating %esp value in the exploit. But soon after this you're running the vulnerable program using that value as it was the real return address. The question is : how is that %esp value related to the stack pointer in the code you're trying to exploit? The answer is that they're related in no way! But the reason why you do it this way exists. Think about a generic OS which implements virtual memory (anyone do it nowadays). Just to be more concrete, consider Linux. Linux, just like any other operating system, defines a precise layout for the virtual process address space. In particular, Linux defines for the user mode stack a virtual memory area (VMA) flagged VMA_GROWSDOWN which starts at virtual address 0xbfffffff and grows towards lower addresses. Every program you run has this virtual address space layout. Try to take a look at /proc/X/maps (choose X as you like between the existing PIDs) for realizing it. Well, when you get your %esp value in the exploit, you're simply saying "I know where I could be since the %esp value is always located near this value". But you don't really know how far you're from the address you need. The 'offset' used in almost all exploits just addresses this need. So what you get in your exploit is simply an estimation. The offset will "tune" your return address thus letting you exploit the vulnerable code. Regards. -- Angelo Dell'Aera 'buffer' Antifork Research, Inc. http://buffer.antifork.org PGP information in e-mail header
Attachment:
_bin
Description:
Current thread:
- Re: Buffer Overflows Gerardo Richarte (Apr 01)
- <Possible follow-ups>
- Re: Buffer Overflows Yves Younan (Apr 01)
- Re: Buffer Overflows Angelo Dell'Aera (Apr 05)