[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer Overflows



On 29 Mar 2004 20:00:56 -0000
<luck___@xxxxxxxxxxx> wrote:


> Hi hope  someone could help me with  a question I have.  Why do many
>buffer overflow exploits  use the %esp before the  program has run as
>the return address?  If im not wrong then the idea  is to return into
>the buffer but the %esp before the program is run becomes %ebp during
>program execution and this is after the buffer in the stack? Would it
>not be better  to return to (%esp before) -  (length of buffer) which
>should place  you at the start  of the buffer assuming  buffer is the
>first local variable to be  declared (stack grows to lower addresses)
>This is really  confusing me after I thought I had  got my head round
>it.

I think  this is one  of the things  which can lead to  confusion. For
understanding it, you need some details about OSs.

Think about  this. When you  run your exploit, you're  evaluating %esp
value  in  the  exploit.  But  soon  after  this  you're  running  the
vulnerable program using that value as it was the real return address.
 
The question is : how is  that %esp value related to the stack pointer
in  the code  you're trying  to exploit?  The answer  is  that they're
related in no way! But the reason why you do it this way exists.

Think about a generic OS which implements virtual memory (anyone do it
nowadays). Just to be more  concrete, consider Linux. Linux, just like
any other operating  system, defines a precise layout  for the virtual
process address space. In particular,  Linux defines for the user mode
stack a  virtual memory area (VMA) flagged  VMA_GROWSDOWN which starts
at  virtual  address 0xbfffffff  and  grows  towards lower  addresses.
Every program  you run has this  virtual address space  layout. Try to
take a look at /proc/X/maps (choose X as you like between the existing
PIDs) for realizing it.

Well,  when you  get your  %esp value  in the  exploit,  you're simply
saying "I know where I could be since the %esp value is always located
near this  value". But you don't  really know how far  you're from the
address  you need.   The 'offset'  used  in almost  all exploits  just
addresses this  need. So  what you  get in your  exploit is  simply an
estimation. The  offset will "tune"  your return address  thus letting
you exploit the vulnerable code.

Regards.


--

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.	  	http://buffer.antifork.org

PGP information in e-mail header




Attachment: pgpFMmW0CxUlo.pgp
Description: PGP signature