[Fwd: RE: the possibility of jumping back to code in an exploited program]

[Jonathon Giffin <giffin () cs wisc edu>]

Jonas Yorg wrote:
> So I heard somewhere once that supposedly a buffer-overflowing program
> can jump back into the code it's exploiting in order to call some
> system call (after setting up the appropriate stack/register
> environment I would suppose). I think that whoever I read heard from
> was maybe thinking of return to libc type exploits where you jump to
> some libc wrapper for a system call.  Anyway my question is this (for
> both linux and windows, but mainly linux for now): Is it possible to
> directly jump back to code in the program you exploited?

Yes. If you're willing to read an academic research paper, this has 
exactly what you seem to be looking for:

Automating Mimicry Attacks Using Static Binary Analysis
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and 
Giovanni Vigna
In Proceedings of the 14th Usenix Security Symposium. August 2005.
http://www.auto.tuwien.ac.at/~chris/research/doc/usenix05_attack.pdf

Attacks described in the paper execute all system calls from application 
code, not from injected code, to evade intrusion detection systems that 
verify the origin of system calls. The paper also explains how the 
attacker can regain control after calling into the application to 
execute a system call.

I am not affiliated with these authors; I just think it's nice work.

Jon