|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Buffer Overflows
From: Angelo Dell'Aera (buffer
antifork.org)
Date: Mon Apr 05 2004 - 10:18:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 29 Mar 2004 20:00:56 -0000
<luck___hotmail.com> wrote:
> Hi hope someone could help me with a question I have. Why do many
>buffer overflow exploits use the %esp before the program has run as
>the return address? If im not wrong then the idea is to return into
>the buffer but the %esp before the program is run becomes %ebp during
>program execution and this is after the buffer in the stack? Would it
>not be better to return to (%esp before) - (length of buffer) which
>should place you at the start of the buffer assuming buffer is the
>first local variable to be declared (stack grows to lower addresses)
>This is really confusing me after I thought I had got my head round
>it.
I think this is one of the things which can lead to confusion. For
understanding it, you need some details about OSs.
Think about this. When you run your exploit, you're evaluating %esp
value in the exploit. But soon after this you're running the
vulnerable program using that value as it was the real return address.
The question is : how is that %esp value related to the stack pointer
in the code you're trying to exploit? The answer is that they're
related in no way! But the reason why you do it this way exists.
Think about a generic OS which implements virtual memory (anyone do it
nowadays). Just to be more concrete, consider Linux. Linux, just like
any other operating system, defines a precise layout for the virtual
process address space. In particular, Linux defines for the user mode
stack a virtual memory area (VMA) flagged VMA_GROWSDOWN which starts
at virtual address 0xbfffffff and grows towards lower addresses.
Every program you run has this virtual address space layout. Try to
take a look at /proc/X/maps (choose X as you like between the existing
PIDs) for realizing it.
Well, when you get your %esp value in the exploit, you're simply
saying "I know where I could be since the %esp value is always located
near this value". But you don't really know how far you're from the
address you need. The 'offset' used in almost all exploits just
addresses this need. So what you get in your exploit is simply an
estimation. The offset will "tune" your return address thus letting
you exploit the vulnerable code.
Regards.
--
Angelo Dell'Aera 'buffer'
Antifork Research, Inc. http://buffer.antifork.org
PGP information in e-mail header
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAcXjjpONIzxnBXKIRAj3GAKC/PoXUGgvJ137Y3vFhI5zfV8rQFgCguAHT
HsenetYkxR2tuMOR0D+xB6E=
=bw0K
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]