Vulnerability Development mailing list archives

Re: Buffer Overflows

From: ". npguy" <npguy () linuxmail org>
Date: Tue, 30 Mar 2004 13:55:49 +0800

Hi,

ESP points the current address of the stack frame.   The address is very importnat to exploit 
the return address.

Take an example of overwriting the return address with JMP ESP instruction simply change the flow of the program by 
jumping to the current pointing address of ESP (Stack Pointer). In our case the ESP points within our buffer next to 
the Return address. 

So JMP ESP will point in the next index of our buffer i.e the overflowed buffer. 

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaxxxxSSSSSSSSSSSSSSSSSSSSSSSSS
                                   |  ^
    +--msvcrt.dll---+              |  |
    |               |              |  |
    |    JMP ESP<------------------+  | 
    |      |        |                 | 
    |      +--------------------------+ 
    |               |
    +---------------+



The figure is quite simple. SSS...is the shellcode and xxxx is the overwritten return address (EIP) of a buffer. It 
contains the address of "JMP ESP instruction" located somewhere in the process space (memory) in our case it is located 
in msvcrt.dll memory space at xxxx. 

When the buffer is fed to the program  it will happily run without any error message since the return address is valid 
which contains "JMP ESP" equivalent instruction's) ...This instruction immediately jump at the current pointer of ESP 
in our case the next ESP after xxxx is  "SSSS...". This is the shellcode where we had place the exploit code something 
interesting might be worm or simple funny stuff.


npguy
01security.com

----- Original Message -----
From: <luck___ () hotmail com>
Date: 29 Mar 2004 20:00:56 -0000
To: vuln-dev () securityfocus com
Subject: Buffer Overflows



Hi hope someone could help me with a question I have. Why do many buffer overflow exploits use the %esp before the 
program has run as the return address? If im not wrong then the idea is to return into the buffer but the %esp before 
the program is run becomes %ebp during program execution and this is after the buffer in the stack? Would it not be 
better to return to (%esp before) - (length of buffer) which should place you at the start of the buffer assuming 
buffer is the first local variable to be declared (stack grows to lower addresses) This is really confusing me after 
I thought I had got my head round it. 

Many Thanks


-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Current thread:

Buffer Overflows luck___ (Mar 29)
- <Possible follow-ups>
- Re: Buffer Overflows . npguy (Mar 30)
  - Re: Buffer Overflows Gerardo Richarte (Mar 30)